This is an "old-stable" update for users of the Flatpak 1.8.x branch, such as Red Hat Enterprise Linux 8. In environments that do not need to stay on a specific branch, updating to the newest stable version instead of using this version is recommended. At the time of writing, the newest stable version is 1.12.4.

This security update fixes a potential attack where a flatpak application
could use custom formated .desktop files to gain access to files on the
host system. (CVE-2021-21261)
For details, see:
GHSA-4ppf-fxf6-vxg2

This security update also fixes a security vulnerability in the portal
support. Some recently added syscalls were not blocked by the seccomp rules
which allowed the application to create sub-sandboxes which can confuse
the sandboxing verification mechanisms of the portal. This has been
fixed by extending the seccomp rules. (CVE-2021-41133)
For details, see:
GHSA-67h7-w3jq-vh4q

Other changes:

• Don't inherit an unusual $XDG_RUNTIME_DIR setting into the sandbox, fixing
  a regression introduced when CVE-2021-21261 was fixed in 1.8.5 and 1.10.0
• Fix fd confusion in flatpak-spawn --env=... --forward-fd=..., resolving a
  regression introduced in 1.8.5
• Fix deploys of local remotes in system-helper, possibly involving newer
  GLib versions
• Memory leak fixes backported from 1.10.2 and 1.11.2
• File descriptor leak fixes backported from 1.10.2, 1.10.3 and 1.11.2
• Add --enable-asan configure option backported from 1.10.1
• The .profile snippets now disable GVfs when calling flatpak to
  avoid spawning a gvfs daemon when logging in via ssh
• Fix test failures on non-x86_64 systems
• Update Polish translation

$ sha256sum flatpak-1.8.6.tar.xz 
70dc6bb6231c494885dd82f6607a3033b7636c0ad0c399e59f7c760fbffb4de7  flatpak-1.8.6.tar.xz