CVE-2026-41048 - qSnapper polkit authorization cache cross-method bypass

CVE-2026-41048 - qSnapper polkit authorization cache cross-method bypass - High - 2026-06-22

Business risk: A user authorized for a low-risk snapshot action can reuse cached approval for destructive root-level actions.

Root cause: Authentication cache state is reused across different polkit methods instead of being bound to the action authorized.

Affected versions

  • Vulnerable: qSnapper before 1.3.3.
  • Fixed / safe target: Upgrade qSnapper to 1.3.3+ and key authorization cache entries by exact polkit action/method.
  • CVSS: 7.1 (High)

Exact vulnerable code pattern

if (authCache[caller]) {
    runRequestedSnapperMethod(request.method());
}

Fixed / mitigated code pattern

AuthKey key{caller.uid, caller.pid, request.method(), actionFor(request.method())};
if (!authCache.isFresh(key) || !polkitAllowed(caller, key.action)) {
    throw AuthorizationError(key.action);
}
runRequestedSnapperMethod(request.method());

Step-by-step integration guide

  1. Upgrade qSnapper to 1.3.3+.
  2. Review downstream patches for caller-only authorization caches.
  3. Add delete-vs-restore permission tests.
  4. Invalidate qSnapper auth/cache state during deploy.
  5. Update polkit policies to least privilege per action.

Alternative mitigations

  • Disable cached qSnapper authorization if configurable.
  • Require admin group membership for all qSnapper actions.
  • Alert on restore/rollback calls by non-admin users.

Detection signature

rg -n "authCache|authorization.*cache|restore.*snapshot|delete.*snapshot|org.opensuse.qsnapper" .

Copy-paste skill block

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-41048: qSnapper polkit authorization cache cross-method bypass.

Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.

Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.

Boundaries:
- Scope only CVE-2026-41048 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.

Tags and revenue routing

  • Keywords: cve, qsnapper, polkit, authorization-cache, linux, enterprise_blocker, high
  • Affected tech stack: linux/system
  • Revenue tags: enterprise_blocker

References