EUVD-2026-21651CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3Tags
Description
NoMachine External Control of File Path Arbitrary File Deletion Vulnerability. This vulnerability allows local attackers to delete arbitrary files on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of environment variables. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of root. Was ZDI-CAN-28644.
Analysis
Arbitrary file deletion in NoMachine through environment variable path manipulation allows authenticated local attackers to delete system files with root privileges. Vulnerability stems from insufficient validation of user-supplied paths in file operations, enabling low-privileged users to escalate impact by removing critical files. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running NoMachine and document versions in use; notify NoMachine administrators of vulnerability. Within 7 days: Implement access controls restricting local login privileges on NoMachine hosts; disable NoMachine on non-essential systems pending patch availability. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today