Skip to main content

Onlyoffice Desktopeditors CVE-2026-41030

| EUVDEUVD-2026-23197 MEDIUM
Incorrect Resource Transfer Between Spheres (CWE-669)
2026-04-16 mitre
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Patch released
Apr 17, 2026 - 15:38 nvd
Patch available
Patch available
Apr 16, 2026 - 07:01 EUVD
Analysis Generated
Apr 16, 2026 - 06:40 vuln.today
EUVD ID Assigned
Apr 16, 2026 - 06:30 euvd
EUVD-2026-23197
Analysis Generated
Apr 16, 2026 - 06:30 vuln.today
CVE Published
Apr 16, 2026 - 05:51 nvd
MEDIUM 6.2

DescriptionCVE.org

In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges.

AnalysisAI

ONLYOFFICE DesktopEditors versions before 9.3.0 allow local attackers to perform arbitrary file operations with SYSTEM privileges via the update service, resulting in denial of service through resource exhaustion or file manipulation. The vulnerability requires local access and operates without user interaction, making it a significant privilege-escalation risk in multi-user or compromised-account scenarios.

Technical ContextAI

ONLYOFFICE DesktopEditors includes an automatic update service that runs with elevated SYSTEM privileges. The vulnerability (CWE-669: Improper Control of a Resource Through its Lifetime) indicates the update service fails to properly validate or restrict file operations initiated by lower-privileged local users. This allows an unprivileged local process to invoke SYSTEM-level file actions, effectively bypassing privilege boundaries. The affected product spans all versions before 9.3.0 as identified by CPE cpe:2.3:a:ascensio:onlyoffice_desktopeditors:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade ONLYOFFICE DesktopEditors to version 9.3.0 or later immediately; this is the primary and officially released fix addressing the privilege-escalation flaw in the update service. Users unable to upgrade immediately should disable the automatic update service through application settings (typical path: Tools → Options → Update) and manually verify downloads from the official ONLYOFFICE repository before installing; this prevents malicious or unintended SYSTEM-privileged operations but requires manual security maintenance overhead. Alternatively, restrict local user access to the DesktopEditors installation and cache directories via file system ACLs on Windows (NTFS permissions) or Unix group/mode restrictions (e.g., chmod 750 for config directories) to prevent unprivileged processes from invoking the update mechanism; note this may break legitimate auto-update functionality and must be tested in your environment. For multi-user systems, monitor the update service process (e.g., DesktopEditorsUpdateService.exe on Windows) for unexpected invocations using EDR or Sysmon, setting alerts for any calls from non-standard accounts. Detailed upgrade instructions and release notes are in the GitHub changelog linked above.

Share

CVE-2026-41030 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy