Bug 2494110 (CVE-2026-13601)

Summary: CVE-2026-13601 yelp: yelp-xsl: Overly Permissive Content Security Policy in Yelp Allows Host File Disclosure from Flatpak Applications
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Yelp due to an overly permissive Content Security Policy (CSP) implementation provided by yelp-xsl. A malicious Flatpak application can open crafted help content through the OpenURI portal. By embedding an untrusted CSS stylesheet within a structured SVG document, attacker-controlled content can bypass Flatpak's intended sandbox isolation, allowing Yelp to evaluate local XML inclusions and disclose arbitrary user-readable host files through remote CSS resource requests. This may result in the unauthorized disclosure of sensitive information.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2494116, 2494117, 2494118    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-29 08:53:59 UTC
A local sandbox escape and host information disclosure flaw was found in Yelp. A regression introduced in the companion yelp-xsl stylesheet component targets the gnome-42 and master development branches, leaving the application's Content Security Policy (CSP) style handling directives overly permissive.

A malicious or compromised sandboxed Flatpak application can programmatically abuse the standard host org.freedesktop.portal.OpenURI portal interface to pass crafted help layout files (ghelp:// or mallard extensions). Because the system portal processes this request silently without requiring user interaction, host-level Yelp is automatically invoked to parse the file outside the application container. The attacker-controlled layout leverages local XML inclusions to load arbitrary host-level files into memory, which are subsequently exfiltrated out-of-band to a remote server using a background CSS url() query embedded inside a structured SVG document.