CVE-2026-2604 is a vulnerability in Red Hat Enterprise Linux (RHEL)
Published on June 16, 2026
Evolution-data-server: evolution data server: arbitrary file deletion via inconsistent uri handling
A flaw was found in evolution-data-server. Inconsistent comparison logic in the addressbook file backend allows a Flatpak application with D-Bus access to craft a malicious URI containing directory traversal sequences. This URI is stored without proper validation during contact creation or modification. Later, during contact deletion, the URI is processed with a less strict check, leading to the deletion of arbitrary files on the host filesystem. This could potentially include critical Flatpak override files.
Vulnerability Analysis
CVE-2026-2604 is exploitable with local system access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and a small impact on availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
External Control of File Name or Path
The software allows user input to control or influence paths or file names that are used in filesystem operations.
Products Associated with CVE-2026-2604
Want to know whenever a new CVE is published for Red Hat Enterprise Linux (RHEL)? stack.watch will email you.
Affected Versions
GNOME Evolution Data Server:- Before 3.59.3 is affected.