PT-2026-35076 · Deskflow · Deskflow
Published
2026-04-24
·
Updated
2026-04-25
·
CVE-2026-41477
CVSS v3.1
7.8
High
| AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Deskflow versions prior to 1.20.0
Deskflow versions prior to 1.26.0.134
Description
The Deskflow daemon runs with SYSTEM privileges and exposes an Inter-Process Communication (IPC) named pipe with the
WorldAccessOption enabled. This configuration allows any local unprivileged user to execute arbitrary commands as SYSTEM because the daemon processes privileged commands without authentication.Recommendations
Update to a version later than 1.20.0.
Update to a version later than 1.26.0.134.
Fix
LPE
Missing Authentication
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Deskflow