Skip to main content

NoMachine CVE-2026-53694

| EUVDEUVD-2026-36060 HIGH
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-06-10 CIRCL GHSA-pph3-cx78-q9jc
7.3
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (CIRCL) · only source for this CVE.

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 17:01 EUVD
Analysis Generated
Jun 10, 2026 - 16:29 vuln.today
CVSS changed
Jun 10, 2026 - 16:22 NVD
7.3 (HIGH)

DescriptionCVE.org

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Nomachine allows Argument Injection.This issue affects Nomachine: before 9.5.7, before 8.23.2.

AnalysisAI

Argument injection in NoMachine remote desktop software before versions 9.5.7 and 8.23.2 allows a local authenticated user to inject command-line arguments and achieve high-impact compromise of confidentiality, integrity, and availability on the host. The flaw is tracked as CWE-88 (Improper Neutralization of Argument Delimiters), reported by CIRCL, and at the time of analysis there is no public exploit identified.

Technical ContextAI

NoMachine is a commercial remote desktop and NX-protocol-based remote access suite that ships privileged helper components on Windows, Linux, and macOS hosts to broker sessions, manage displays, and execute system operations on behalf of users. CWE-88 (Argument Injection) covers cases where a process builds a child command line by concatenating user-controlled input without separating it from the executable's option parser, so values that contain leading hyphens or special delimiters are interpreted as additional flags rather than data. Per the affected CPE cpe:2.3:a:nomachine:nomachine, the weakness sits in NoMachine itself rather than a bundled third-party library, indicating one of NoMachine's own privileged wrappers fails to neutralize argument delimiters before invoking an underlying binary.

RemediationAI

Upgrade NoMachine to 9.5.7 or later on the 9.x branch, or to 8.23.2 or later on the 8.x branch, per the vendor advisories at https://kb.nomachine.com/SU05X00274 and https://kb.nomachine.com/SU05X00275; these are the only confirmed fixes. Until patching is complete, restrict interactive and remote-shell logon on NoMachine hosts to trusted administrators (the vulnerability requires local low-privileged access), remove non-essential local accounts, and audit setuid/privileged NoMachine helpers and scheduled tasks for invocation by unprivileged users, accepting that these controls reduce who can reach the vulnerable code path but do not eliminate the bug. Monitor process creation events for NoMachine binaries spawning child processes with unexpected argument flags as a detection compensating control, recognizing this will not prevent exploitation.

CVE-2017-12763 HIGH POC
8.8 Aug 29

An unspecified server utility in NoMachine before 5.3.10 on Mac OS X and Linux allows authenticated users to gain privil

CVE-2023-39107 CRITICAL POC
9.1 Aug 04

An arbitrary file overwrite vulnerability in NoMachine Free Edition and Enterprise Client for macOS before v8.8.1 allows

CVE-2018-17980 HIGH POC
7.8 Oct 15

NoMachine before 5.3.27 and 6.x before 6.3.6 allows attackers to gain privileges via a Trojan horse wintab32.dll file lo

CVE-2018-6947 HIGH POC
7.8 Feb 28

An uninitialised stack variable in the nxfuse component that is part of the Open Source DokanFS library shipped with NoM

CVE-2022-34043 HIGH POC
7.3 Jun 29

Incorrect permissions for the folder C:\ProgramData\NoMachine\var\uninstall of Nomachine v7.9.2 allows attackers to perf

CVE-2018-0664 CRITICAL
9.8 Sep 04

A vulnerability in NoMachine App for Android 5.0.63 and earlier allows attackers to alter environment variables via unsp

CVE-2026-5054 HIGH
7.8 Apr 11

Local privilege escalation in NoMachine allows authenticated low-privileged attackers to execute arbitrary code as root

CVE-2026-5055 HIGH
7.8 Apr 11

Local privilege escalation in NoMachine Device Server allows authenticated low-privileged attackers to execute arbitrary

CVE-2024-7253 HIGH
7.8 Nov 22

NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), thi

CVE-2026-5053 HIGH
7.1 Apr 11

Arbitrary file deletion in NoMachine through environment variable path manipulation allows authenticated local attackers

CVE-2018-20029 MEDIUM
5.5 Dec 10

The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a d

CVE-2025-8614 HIGH
7.8 Sep 02

NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), thi

Share

CVE-2026-53694 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy