---

Name	CVE-2026-34080
Description	xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (with a space before the equals sign) and similar cases. Clients can intercept D-Bus messages they should not have access to. This vulnerability is fixed in 0.1.7.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4542-1, DSA-6209-1, DSA-6224-1
Debian Bugs	1132939

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
xdg-dbus-proxy (PTS)	bullseye	0.1.2-2	vulnerable
bullseye (security)	0.1.2-2+deb11u1	fixed
bookworm, bookworm (security)	0.1.4-3+deb12u1	fixed
trixie (security), trixie	0.1.6-1+deb13u1	fixed
forky, sid	0.1.7-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
xdg-dbus-proxy	source	bullseye	0.1.2-2+deb11u1	DLA-4542-1
xdg-dbus-proxy	source	bookworm	0.1.4-3+deb12u1	DSA-6224-1
xdg-dbus-proxy	source	trixie	0.1.6-1+deb13u1	DSA-6209-1
xdg-dbus-proxy	source	(unstable)	0.1.7-1	1132939

Notes

https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677
Fixed by: https://github.com/flatpak/xdg-dbus-proxy/commit/4d0d1d74d4f40260a79161163b4b2f7276bce0b0 (0.1.7)

---

---