Skip to main content

Suse CVE-2026-33145

| EUVDEUVD-2026-23510 MEDIUM
OS Command Injection (CWE-78)
2026-04-17 GitHub_M
6.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 14:13 nvd
Patch available
Patch available
Apr 17, 2026 - 21:16 EUVD
Analysis Generated
Apr 17, 2026 - 21:11 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 20:45 euvd
EUVD-2026-23510
Analysis Generated
Apr 17, 2026 - 20:45 vuln.today
CVE Published
Apr 17, 2026 - 20:14 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

xrdp is an open source RDP server. Versions through 0.10.5 allow an authenticated remote user to execute arbitrary commands on the server due to unsafe handling of the AlternateShell parameter in xrdp-sesman. When the AllowAlternateShell setting is enabled (which is the default when not explicitly configured), xrdp accepts a client-supplied AlternateShell value and executes it via /bin/sh -c during session initialization. This results in shell-interpreted execution of unsanitized, user-controlled input. This behavior effectively provides a scriptable remote command execution primitive over RDP within the security context of the authenticated user, occurring prior to normal window manager startup. This can bypass expected session initialization flows and operational assumptions that restrict execution to interactive desktop environments. This issue has been fixed in version 0.10.6.

AnalysisAI

Authenticated remote command execution in xrdp through version 0.10.5 allows users to execute arbitrary shell commands on the RDP server via an unsanitized AlternateShell parameter during session initialization. When AllowAlternateShell is enabled (the default configuration), xrdp passes client-supplied shell commands directly to /bin/sh -c without sanitization, bypassing normal session constraints. An authenticated RDP user can exploit this to run arbitrary commands in the context of their login session before the window manager starts, with no public exploit code identified at time of analysis.

Technical ContextAI

xrdp is an open-source Remote Desktop Protocol (RDP) server implementation that allows remote graphical access to Linux systems. The vulnerability resides in xrdp-sesman, the session manager component responsible for initializing and managing RDP sessions. When a client connects, xrdp-sesman accepts connection parameters including the AlternateShell setting, which is intended to specify an alternative login shell for the session. The vulnerability stems from unsafe command construction: the user-controlled AlternateShell value is concatenated directly into a shell command string and executed via /bin/sh -c without input validation or escaping. This represents a classic command injection vulnerability (CWE-78: Improper Neutralization of Special Elements used in an OS Command) where shell metacharacters in the AlternateShell parameter are interpreted by the shell rather than treated as literal argument data. The AllowAlternateShell setting defaults to enabled, meaning systems are vulnerable by default unless explicitly configured otherwise. The flaw occurs during early session initialization, before the normal RDP desktop environment (typically X11 or Wayland) is established, allowing attackers to execute commands outside the expected interactive desktop sandbox.

RemediationAI

Upgrade xrdp to version 0.10.6 or later immediately; this is the vendor-released patch that fixes the AlternateShell command injection. The upgrade can be performed via package managers (apt upgrade xrdp on Debian/Ubuntu systems) or by rebuilding from source from the official GitHub repository. For organizations unable to upgrade immediately, implement the following compensating controls: (1) disable the AllowAlternateShell feature by setting AllowAlternateShell=false in /etc/xrdp/xrdp.ini on all xrdp servers, then restart the xrdp service (sudo systemctl restart xrdp); this eliminates the attack surface but prevents users from specifying custom shells, potentially breaking workflows that rely on shell customization; (2) restrict RDP access at the firewall or network level to only trusted IP ranges or VPN subnets, reducing the exposed authentication surface; (3) enforce strong RDP authentication via Network Policy Server (NPS) or RADIUS where available, preventing credential-based attacks; (4) monitor xrdp logs for failed connection attempts or unusual session parameters, though log coverage for AlternateShell injection attempts may be limited. None of these workarounds fully mitigate the flaw if AllowAlternateShell remains enabled, so patch deployment is strongly preferred. Reference vendor advisory: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rmvv-7633-fg7h

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

CVE-2026-33145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy