CVE-2026-41048 - qSnapper polkit authorization cache cross-method bypass
CVE-2026-41048 - qSnapper polkit authorization cache cross-method bypass - High - 2026-06-22
Business risk: A user authorized for a low-risk snapshot action can reuse cached approval for destructive root-level actions.
Root cause: Authentication cache state is reused across different polkit methods instead of being bound to the action authorized.
Affected versions
- Vulnerable: qSnapper before 1.3.3.
- Fixed / safe target: Upgrade qSnapper to 1.3.3+ and key authorization cache entries by exact polkit action/method.
- CVSS: 7.1 (High)
Exact vulnerable code pattern
if (authCache[caller]) {
runRequestedSnapperMethod(request.method());
}
Fixed / mitigated code pattern
AuthKey key{caller.uid, caller.pid, request.method(), actionFor(request.method())};
if (!authCache.isFresh(key) || !polkitAllowed(caller, key.action)) {
throw AuthorizationError(key.action);
}
runRequestedSnapperMethod(request.method());
Step-by-step integration guide
- Upgrade qSnapper to 1.3.3+.
- Review downstream patches for caller-only authorization caches.
- Add delete-vs-restore permission tests.
- Invalidate qSnapper auth/cache state during deploy.
- Update polkit policies to least privilege per action.
Alternative mitigations
- Disable cached qSnapper authorization if configurable.
- Require admin group membership for all qSnapper actions.
- Alert on restore/rollback calls by non-admin users.
Detection signature
rg -n "authCache|authorization.*cache|restore.*snapshot|delete.*snapshot|org.opensuse.qsnapper" .
Copy-paste skill block
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate CVE-2026-41048: qSnapper polkit authorization cache cross-method bypass.
Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.
Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.
Boundaries:
- Scope only CVE-2026-41048 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.
Tags and revenue routing
- Keywords: cve, qsnapper, polkit, authorization-cache, linux, enterprise_blocker, high
- Affected tech stack: linux/system
- Revenue tags: enterprise_blocker