Skip to main content

Remote Spark SparkView CVE-2026-8326

| EUVDEUVD-2026-33281 CRITICAL
Relative Path Traversal (CWE-23)
2026-05-29 NCSC.ch GHSA-fhv3-q37g-rjx5
10.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 15:30 vuln.today
CVSS changed
May 29, 2026 - 13:22 NVD
10.0 (CRITICAL)
CVE Published
May 29, 2026 - 11:47 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Path traversal vulnerability in Remote Spark (https://www.Remotespark.Com/) SparkView allows reading and writing arbitrary files in all directories as root. This leads to RCE. The affected component is the RDP drive redirection.  Depending on implementation, the vulnerability can be exploited by an unauthenticated attacker.

This issue affects SparkView: before build 1127.

AnalysisAI

Path traversal in Remote Spark SparkView before build 1127 enables remote attackers to read and write arbitrary files as root through the RDP drive redirection component, leading to full remote code execution. CVSS 4.0 scores this 10.0 with no public exploit identified at time of analysis, though SSVC marks it automatable with total technical impact. Depending on the deployment, exploitation can be performed without authentication, making vulnerable internet-facing instances a high-priority patching target.

Technical ContextAI

SparkView is an HTML5-based remote desktop gateway from Remote Spark (remotespark.com) that proxies RDP, VNC, SSH, and Telnet sessions to browsers without client-side plugins. The flaw lives in its RDP drive redirection feature, which bridges the remote session's virtual channel to filesystem paths on the gateway host. CWE-23 (Relative Path Traversal) indicates the affected code does not sanitize '..' sequences or absolute paths supplied through the drive-redirection channel, allowing the gateway process - which runs as root - to access files outside the intended redirection sandbox. Because read and write are both possible as root, attackers can overwrite system binaries, cron jobs, SSH keys, or web-served files to pivot from file I/O to arbitrary code execution. The affected CPE is cpe:2.3:a:remote_spark_(https://www.remotespark.com/):sparkview:*:*:*:*:*:*:*:*, covering all SparkView builds prior to 1127.

RemediationAI

Upgrade SparkView to build 1127 or later, which is the vendor-released patch identified in the EUVD record and referenced from the Remote Spark product page at https://www.remotespark.com/view/new.html. Until the upgrade can be applied, disable the RDP drive redirection feature in the SparkView configuration to remove the vulnerable code path entirely - this breaks file-transfer convenience between client and remote session but preserves all other remote-access functionality. Additionally, place the SparkView gateway behind an authenticated reverse proxy or VPN so that the 'depending on implementation' unauthenticated path is closed off, and run the SparkView process under a non-root account where supported to limit blast radius if the traversal is reached. Monitor the gateway host for unexpected writes to /etc, /root, cron directories, and web roots as a detection backstop.

Share

CVE-2026-8326 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy