CVE-2026-33145

Name of the Vulnerable Software and Affected Versions xrdp versions prior to 0.10.6

Description An authenticated remote user can execute arbitrary commands on the server due to unsafe handling of the AlternateShell parameter in xrdp-sesman. When the AllowAlternateShell setting is enabled, the server accepts a client-supplied AlternateShell value and executes it via /bin/sh -c during session initialization. This leads to shell-interpreted execution of unsanitized, user-controlled input, providing a remote command execution primitive within the security context of the authenticated user before the window manager starts. This process can bypass session initialization flows that normally restrict execution to interactive desktop environments.

Recommendations Update to version 0.10.6. As a temporary workaround, disable the AllowAlternateShell setting to prevent the execution of client-supplied shell values.