Skip to main content

Clash Verge EUVDEUVD-2026-34977

| CVE-2026-26422 HIGH
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-06-06 mitre GHSA-5m7x-g9jc-x5g7
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 07, 2026 - 02:00 EUVD
Source Code Evidence Fetched
Jun 06, 2026 - 22:50 vuln.today
Analysis Generated
Jun 06, 2026 - 22:50 vuln.today

DescriptionCVE.org

clash-verge-service-ipc before 2.3.0 has a world-reachable IPC endpoint, leading to local privilege escalation.

AnalysisAI

Local privilege escalation in clash-verge-service-ipc before 2.3.0 allows unprivileged local users on macOS and Linux to interact with a world-reachable IPC socket exposed by the privileged Clash Verge service, enabling them to invoke service operations that run with elevated rights. The upstream fix (PR #23) restricts IPC permissions to 0750 on the directory and 0660 on the socket, and the patched dependency was incorporated into the Clash Verge Rev desktop client. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Technical ContextAI

Clash Verge Rev is a Tauri-based desktop GUI for the Clash/Mihomo proxy core that ships with a companion privileged background service (clash-verge-service) which the unprivileged UI process talks to over a local IPC channel implemented by the clash-verge-service-ipc Rust crate. On Unix-like systems this IPC is exposed via a filesystem socket whose containing directory and socket node had overly permissive modes, allowing any local user - not just members of an authorized group - to open and send commands to the privileged endpoint. This is a textbook CWE-732 (Incorrect Permission Assignment for Critical Resource) issue: the security boundary between unprivileged callers and the root/Administrator-level service relies on filesystem permissions, and those permissions were effectively world-reachable. The fix (clash-verge-service-ipc PR #23, shipped in v2.3.0) tightens the modes to 0750 for the directory and 0660 for the socket so only the owning user and group can open the channel.

RemediationAI

Vendor-released patch: upgrade clash-verge-service-ipc to 2.3.0 or later, which lands PR #23 restricting the IPC directory mode to 0750 and the socket mode to 0660; end users of the Clash Verge Rev desktop client should update to a Clash Verge Rev build that includes commit 3bbcdbe (which pins clash_verge_service_ipc 2.0.27 and consumes the v2.3.0 IPC). Advisory URLs: https://github.com/clash-verge-rev/clash-verge-service-ipc/releases/tag/v2.3.0 and https://github.com/clash-verge-rev/clash-verge-rev/commit/3bbcdbe5caacc2ffb713af69f2c93e202573f918. If immediate upgrade is not possible, manually chmod the IPC socket directory to 0750 and the socket file to 0660 owned by the appropriate service user/group, or uninstall the background privileged service and run Clash Verge without service-mode TUN/system-proxy features - the trade-off being loss of transparent proxying and any function that requires elevated networking privileges. On shared/multi-user macOS or Linux hosts, treat upgrade as urgent because every local account is currently in the trust boundary.

Share

EUVD-2026-34977 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy