Skip to main content

Deskflow EUVDEUVD-2026-25623

| CVE-2026-41477 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-04-24 GitHub_M
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 20:31 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 20:15 euvd
EUVD-2026-25623
Analysis Generated
Apr 24, 2026 - 20:15 vuln.today
CVE Published
Apr 24, 2026 - 19:50 nvd
HIGH 7.8

DescriptionGitHub Advisory

Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user to execute arbitrary commands as SYSTEM. Affects both stable v1.20.0 + and Continuous v1.26.0.134 prerelease.

AnalysisAI

Local privilege escalation in Deskflow (all versions up to 1.20.0 stable and 1.26.0.134 continuous) allows any low-privilege Windows user to execute arbitrary commands as SYSTEM by accessing an unauthenticated IPC named pipe. The daemon runs with SYSTEM privileges and processes commands without validating caller identity due to WorldAccessOption configuration. No public exploit identified at time of analysis, but the attack vector is straightforward for local users with basic Windows IPC knowledge.

Technical ContextAI

Deskflow is a keyboard and mouse sharing application that requires a Windows service running with SYSTEM privileges to coordinate input device sharing across networked computers. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function). The service creates an IPC named pipe - a Windows inter-process communication mechanism - with WorldAccessOption enabled, which grants access to any local user regardless of privilege level. Named pipes are commonly used for client-server communication on Windows, but when configured with overly permissive access controls and lacking caller authentication, they become privilege escalation vectors. Any local process can connect to the pipe and issue privileged commands that the SYSTEM-level daemon executes without verifying the caller's identity or authorization level.

RemediationAI

Monitor the GitHub security advisory at https://github.com/deskflow/deskflow/security/advisories/GHSA-6rx5-g478-775c for vendor-released patch announcements and upgrade to the patched version immediately upon release. Until a patch is available, implement compensating controls: restrict Deskflow installation to single-user workstations where privilege escalation risk is mitigated by the absence of untrusted local accounts, or uninstall Deskflow from multi-user systems and shared environments. On systems where Deskflow must remain operational, harden local access controls by ensuring only trusted administrative users have local logon rights, deploy endpoint detection solutions to monitor unusual named pipe access patterns and SYSTEM process spawning from unexpected parent processes, and apply application control policies to prevent unauthorized binaries from executing even if SYSTEM access is obtained. Note that blocking named pipe access directly would likely break Deskflow's core functionality. For high-security environments, consider replacing Deskflow with alternative KVM solutions that do not require SYSTEM-level services or implement authenticated IPC mechanisms.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-25623 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy