Main Vulnerability Database Vulnerabilities #VU126936

Improper access control in PackageKit - #VU126936

Published: April 23, 2026

Vulnerability identifier: #VU126936

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
PackageKit

Software vendor:
Richard Hughes

Description

The vulnerability allows a local user to bypass authorization and perform package installation or removal as root.

The vulnerability exists due to improper access control in packagekitd and the Slackware backend when processing install or remove transactions with the ONLY_DOWNLOAD flag set. A local user can send a crafted package management request with the ONLY_DOWNLOAD flag to bypass authorization and perform package installation or removal as root.

The issue affects the Slackware backend because it does not enforce download-only behavior for install and remove operations.

Remediation

Install security update from vendor's website.

External links

https://github.com/PackageKit/PackageKit/security/advisories/GHSA-wpcw-g86j-489v

Improper access control in PackageKit - #VU126936

Description

Remediation

External links

Please verify you're human