CVE-2026-41049 - qSnapper polkit authorization cache cross-user bypass

CVE-2026-41049 - qSnapper polkit authorization cache cross-user bypass - High - 2026-06-22

Business risk: One privileged user approval can be reused by another local user to execute root-level snapshot actions.

Root cause: Authorization cache entries are shared between users of the qSnapper D-Bus service.

Affected versions

  • Vulnerable: qSnapper before 1.3.3.
  • Fixed / safe target: Upgrade qSnapper to 1.3.3+ and bind cached authorization to the exact D-Bus subject/user/session.
  • CVSS: 7.1 (High)

Exact vulnerable code pattern

static bool recentlyAuthorized;
if (recentlyAuthorized || polkitAllowed(caller, action)) {
    recentlyAuthorized = true;
    runRootSnapperAction(action);
}

Fixed / mitigated code pattern

AuthKey key{caller.uid, caller.pid, caller.sessionId, action};
if (!authCache.isFresh(key) && !polkitAllowed(caller, action)) {
    throw AuthorizationError(action);
}
authCache.store(key, clock.now());
runRootSnapperAction(action);

Step-by-step integration guide

  1. Upgrade qSnapper to 1.3.3+.
  2. Restart qSnapper/D-Bus services to clear in-memory cache.
  3. Add cross-user authorization tests.
  4. Audit local user access on shared systems.
  5. Deploy stricter polkit rules on multi-user hosts.

Alternative mitigations

  • Disable qSnapper on shared desktops.
  • Restrict qSnapper D-Bus methods to an admin group.
  • Force service restart after privileged use until patched.

Detection signature

rg -n "qSnapper|authCache|recentlyAuthorized|polkitAllowed|DBus" . /usr/share /etc

Copy-paste skill block

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-41049: qSnapper polkit authorization cache cross-user bypass.

Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.

Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.

Boundaries:
- Scope only CVE-2026-41049 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.

Tags and revenue routing

  • Keywords: cve, qsnapper, polkit, authorization-cache, linux, privilege-escalation, enterprise_blocker, high
  • Affected tech stack: linux/system
  • Revenue tags: enterprise_blocker

References