Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionGitHub Advisory
Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user to execute arbitrary commands as SYSTEM. Affects both stable v1.20.0 + and Continuous v1.26.0.134 prerelease.
AnalysisAI
Local privilege escalation in Deskflow (all versions up to 1.20.0 stable and 1.26.0.134 continuous) allows any low-privilege Windows user to execute arbitrary commands as SYSTEM by accessing an unauthenticated IPC named pipe. The daemon runs with SYSTEM privileges and processes commands without validating caller identity due to WorldAccessOption configuration. No public exploit identified at time of analysis, but the attack vector is straightforward for local users with basic Windows IPC knowledge.
Technical ContextAI
Deskflow is a keyboard and mouse sharing application that requires a Windows service running with SYSTEM privileges to coordinate input device sharing across networked computers. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function). The service creates an IPC named pipe - a Windows inter-process communication mechanism - with WorldAccessOption enabled, which grants access to any local user regardless of privilege level. Named pipes are commonly used for client-server communication on Windows, but when configured with overly permissive access controls and lacking caller authentication, they become privilege escalation vectors. Any local process can connect to the pipe and issue privileged commands that the SYSTEM-level daemon executes without verifying the caller's identity or authorization level.
RemediationAI
Monitor the GitHub security advisory at https://github.com/deskflow/deskflow/security/advisories/GHSA-6rx5-g478-775c for vendor-released patch announcements and upgrade to the patched version immediately upon release. Until a patch is available, implement compensating controls: restrict Deskflow installation to single-user workstations where privilege escalation risk is mitigated by the absence of untrusted local accounts, or uninstall Deskflow from multi-user systems and shared environments. On systems where Deskflow must remain operational, harden local access controls by ensuring only trusted administrative users have local logon rights, deploy endpoint detection solutions to monitor unusual named pipe access patterns and SYSTEM process spawning from unexpected parent processes, and apply application control policies to prevent unauthorized binaries from executing even if SYSTEM access is obtained. Note that blocking named pipe access directly would likely break Deskflow's core functionality. For high-security environments, consider replacing Deskflow with alternative KVM solutions that do not require SYSTEM-level services or implement authenticated IPC mechanisms.
Same technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25623