A corrective update to the Flatpak 1.10.2 self-contained packaging tool is available that fixes a vulnerability (CVE-2021-21381) that could allow the author of a package with an application to bypass sandbox isolation and gain access to files on the host system. The problem has been manifesting since release 0.9.4.
The vulnerability is caused by an error in the implementation of the file forwarding function, which makes it possible, through manipulation with the .desktop file, to access resources in the external file system that are not allowed to be accessed by the running application. When adding files with "@@" and "@@u" tags in the Exec field, flatpak will assume that the specified target files have been explicitly specified by the user and will automatically forward access to these files to the sandbox. The vulnerability can be used by the authors of malicious packages to provide access to external files, despite the appearance of running in isolation mode.
Source: opennet.ru