What is XDG-Desktop-Portal used for?

It's the D-Bus service bridging sandboxed apps (like Flatpak) to desktop features — file pickers, trash, screenshots — without breaking containment.

Does XDG-Desktop-Portal 1.20.4 fix all Flatpak security issues?

No, just the trash symlink race. Flatpak's safe overall, but update for this one.

How do I update XDG-Desktop-Portal on Linux?

Via your distro packages (e.g., sudo dnf update xdg-desktop-portal on Fedora) or build from GitHub source.

Is this vulnerability exploitable in the wild?

Unlikely reported, but trivial for targeted malware in untrusted Flatpaks.

🔒 Security & Privacy

XDG-Desktop-Portal 1.20.4 Plugs Symlink Hole That Let Sandboxed Apps Trash Host Files

A sneaky symlink race in XDG-Desktop-Portal let sandboxed apps trash files outside their jail. The 1.20.4 release slams that door with file descriptors — a quiet but essential win for Flatpak users.

theAIcatchup Apr 08, 2026 4 min read

GitHub release page for XDG-Desktop-Portal 1.20.4 announcing symlink trash fix

⚡ Key Takeaways

XDG-Desktop-Portal 1.20.4 switches to file descriptors to block symlink races in trash operations. 𝕏
The vuln let sandboxed apps delete arbitrary host files via path-trusting GLib calls. 𝕏
Signals a broader push to fd-based primitives in Linux desktop sandboxing. 𝕏

Published by

theAIcatchup

Community-driven. Code-first.

#Flatpak security #Linux sandboxing #XDG-Desktop-Portal #symlink race

Worth sharing?

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by Phoronix

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

React Server Components' Perfect-Score RCE Flaw Exposes Millions of Apps

Anthropic's One-Line Fumble Leaks Billions in Code

North Korean Hackers Hijack GitHub Repos as Spy Command Posts Against South Korea

zxcvbn Exposes Why Signup Password Rules Fail

Stay in the loop