CVE-2026-10294: PackageKit Authorization Bypass in versions up to 1.3.5
PackageKit, a system library for package management on Linux, contains an authorization bypass vulnerability in versions up to 1.3.5. An authenticated attacker can manipulate the frontend-socket parameter in the API to gain unauthorized access to sensitive information. The vulnerability requires an existing user account to exploit but does not require user interaction. While the attack surface is somewhat limited by authentication requirements, the unauthorized information disclosure poses a real security concern for systems relying on PackageKit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-266, CWE-285
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in PackageKit up to 1.3.5. Affected is the function g_file_test of the file src/pk-transaction.c of the component API. Such manipulation of the argument frontend-socket leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10294 is an improper authorization flaw in PackageKit's g_file_test function within src/pk-transaction.c. The vulnerability stems from insufficient validation of the frontend-socket argument passed to the API, allowing an authenticated attacker to bypass authorization controls and read sensitive data. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) reflects network accessibility, low attack complexity, requirement for low privileges, and limited confidentiality impact. The issue is classified under CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization), indicating the system fails to properly restrict access based on user rights.
Business impact
Information disclosure through this vulnerability could expose package management operations, system configuration details, or user activity logs to unauthorized parties. On multi-user systems or those with federated access, this may lead to lateral movement intelligence or reconnaissance of system administration actions. The limited scope and confidentiality-only impact (no integrity or availability loss) suggests this is a lower-tier risk compared to critical vulnerabilities, but organizations managing sensitive deployments should still prioritize remediation to maintain proper access controls and audit boundaries.
Affected systems
PackageKit versions up to and including 1.3.5 are affected. PackageKit is commonly integrated into Linux distributions as a system service for managing software packages through a unified API. This includes distributions using PackageKit for graphical package management, automated updates, and enterprise software deployment. Organizations should verify their PackageKit version and deployment scope, particularly in environments where multiple users or services interact with the package management layer.
Exploitability
The vulnerability has been publicly disclosed, increasing the risk of weaponized exploits. However, exploitation requires an existing user account with authentication credentials—unauthenticated remote attacks are not possible. The attack is straightforward once authenticated (low attack complexity), and no user interaction is needed. This limits but does not eliminate the threat; insider threats, compromised service accounts, or systems with permissive authentication policies remain vulnerable. The public disclosure warrants faster-than-normal patching timelines.
Remediation
Upgrade PackageKit to a version newer than 1.3.5 as soon as possible. Organizations should verify the specific patched version available for their Linux distribution and deployment method (package manager, container image, or manual build). Until patching is complete, consider restricting authentication and API access to PackageKit only to trusted accounts and processes, and monitor logs for suspicious frontend-socket parameter manipulation.
Patch guidance
Contact your Linux distribution vendor or check PackageKit's official repository for the latest available version. Since vendor-specific patch versions vary, verify against your distribution's security advisory or PackageKit's release notes to confirm the version includes this fix. Test patches in a non-production environment before broad deployment to ensure compatibility with dependent services and workflows.
Detection guidance
Monitor system logs and PackageKit audit records for unauthorized attempts to invoke the g_file_test function with crafted frontend-socket parameters. Watch for API calls originating from unexpected user contexts or processes, particularly those not typically performing package management operations. Network-based detection should focus on PackageKit API traffic from unexpected sources or with unusual parameters. Organizations using SecurityMonitoring or endpoint detection and response (EDR) tools should create detection rules around PackageKit authorization failures and privileged API access anomalies.
Why prioritize this
This vulnerability merits prompt but measured attention. The public disclosure and low attack complexity warrant faster remediation than typical medium-severity issues, but the requirement for authentication and information-disclosure-only impact place it below critical and high-severity threats in absolute priority. Organizations should patch within standard maintenance windows but need not declare emergency change procedures unless they operate high-sensitivity multi-user systems or have determined PackageKit exposure to untrusted principals.
Risk score, explained
The CVSS 3.1 score of 4.3 (MEDIUM) reflects multiple mitigating factors: exploitation requires prior authentication (PR:L), the attack is network-accessible but straightforward (AV:N/AC:L), and the impact is limited to confidentiality with no integrity or availability loss (C:L/I:N/A:N). The score does not account for the public disclosure, which increases real-world risk. Organizations should interpret this as a baseline; individual risk may be higher in multi-user, federated, or insider-threat-sensitive environments.
Frequently asked questions
Can this vulnerability be exploited without any credentials?
No. The vulnerability requires an authenticated user account or service with valid credentials to access the PackageKit API. Unauthenticated remote exploitation is not possible.
What information can an attacker actually access or modify?
The vulnerability allows unauthorized confidentiality access—an attacker can read information they should not normally see. It does not permit modification (integrity) or disruption (availability) of package management functions, limiting the direct damage.
Is this vulnerability included in any active exploitation campaigns or ransomware?
There is no evidence of inclusion in the Known Exploited Vulnerabilities (KEV) catalog or active ransomware campaigns at this time. However, public disclosure means malicious actors could develop exploits, so prompt patching is still recommended.
Do I need to take emergency action, or can I patch during regular maintenance?
Emergency action is not required unless you operate a multi-user system where untrusted users or service accounts can access PackageKit, or you have other high-risk exposure factors. Otherwise, plan patching during your standard change windows within the next 1–2 weeks.
This analysis is provided for informational purposes and represents SEC.co's interpretation of the published vulnerability data as of the modification date. Patch versions, affected software configurations, and remediation timelines vary by vendor and distribution; all organizations must verify details against official vendor advisories and their own deployment inventories. This assessment does not constitute professional security advice for any specific organization and should be evaluated in the context of individual risk tolerance, threat models, and operational constraints. SEC.co makes no warranty regarding the completeness or accuracy of patch information; verify all patches before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass
- CVE-2026-10218MEDIUMGoClaw Improper Authorization Vulnerability (CVSS 5.4)
- CVE-2026-10269MEDIUMHost Header Authorization Bypass in Decolua 9router
- CVE-2026-10272MEDIUMStudent-Management-System Authorization Bypass in Admin Panel
- CVE-2026-10282MEDIUMBottelet DaybydayCRM Authorization Bypass in DocumentsController
- CVE-2026-10284MEDIUMImproper Authorization in DevaslanPHP Project-Management Comment Functions
- CVE-2026-10285MEDIUMDevaslanPHP Improper Authorization in Ticket Handler