CVE-2026-41049 - qSnapper polkit authorization cache cross-user bypass
CVE-2026-41049 - qSnapper polkit authorization cache cross-user bypass - High - 2026-06-22
Business risk: One privileged user approval can be reused by another local user to execute root-level snapshot actions.
Root cause: Authorization cache entries are shared between users of the qSnapper D-Bus service.
Affected versions
- Vulnerable: qSnapper before 1.3.3.
- Fixed / safe target: Upgrade qSnapper to 1.3.3+ and bind cached authorization to the exact D-Bus subject/user/session.
- CVSS: 7.1 (High)
Exact vulnerable code pattern
static bool recentlyAuthorized;
if (recentlyAuthorized || polkitAllowed(caller, action)) {
recentlyAuthorized = true;
runRootSnapperAction(action);
}
Fixed / mitigated code pattern
AuthKey key{caller.uid, caller.pid, caller.sessionId, action};
if (!authCache.isFresh(key) && !polkitAllowed(caller, action)) {
throw AuthorizationError(action);
}
authCache.store(key, clock.now());
runRootSnapperAction(action);
Step-by-step integration guide
- Upgrade qSnapper to 1.3.3+.
- Restart qSnapper/D-Bus services to clear in-memory cache.
- Add cross-user authorization tests.
- Audit local user access on shared systems.
- Deploy stricter polkit rules on multi-user hosts.
Alternative mitigations
- Disable qSnapper on shared desktops.
- Restrict qSnapper D-Bus methods to an admin group.
- Force service restart after privileged use until patched.
Detection signature
rg -n "qSnapper|authCache|recentlyAuthorized|polkitAllowed|DBus" . /usr/share /etc
Copy-paste skill block
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate CVE-2026-41049: qSnapper polkit authorization cache cross-user bypass.
Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.
Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.
Boundaries:
- Scope only CVE-2026-41049 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.
Tags and revenue routing
- Keywords: cve, qsnapper, polkit, authorization-cache, linux, privilege-escalation, enterprise_blocker, high
- Affected tech stack: linux/system
- Revenue tags: enterprise_blocker