Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Local elevation of privilege requires an already-authenticated low-privileged user (PR:L, AV:L), no interaction, and yields full SYSTEM compromise (C:H/I:H/A:H).
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An Incorrect Use of Privileged APIs vulnerability in Unity Parsec on Windows hosts leads to a potential Elevation of Privilege. This issue affects Parsec through v2026-05-04.0. The patched version is Parsec for Windows version 150-104a. A user can generate a situation where there is an instance of parsecd.exe running as NT AUTHORITY\SYSTEM with a user-controlled value of the AppData environment variable.
AnalysisAI
Local privilege escalation in Unity Parsec for Windows (all builds through v2026-05-04.0) lets an unprivileged local user coerce an instance of parsecd.exe to run as NT AUTHORITY\SYSTEM while honoring a user-controlled AppData environment variable, allowing the attacker to redirect the privileged process to resources under their control and gain SYSTEM. The flaw is a CWE-648 misuse of privileged APIs; publicly available exploit code exists (a dedicated CVE GitHub repository and a researcher write-up), and it is fixed in Parsec for Windows 150-104a. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local, interactive access to a Windows host running Unity Parsec at or below v2026-05-04.0 as a normal (unprivileged) user; the attacker must be able to set/control the AppData environment variable in their own session and induce an instance of parsecd.exe to launch in the NT AUTHORITY\SYSTEM context. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, base 8.4) captures the full SYSTEM-compromise impact but is optimistic on privileges: this is a local elevation-of-privilege issue, so the attacker must already be a logged-in user on the host, which is more honestly modeled as PR:L than PR:N - flag this PR:N-versus-local-EoP tension when triaging. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A standard (non-admin) user logged into a shared Windows workstation that has Parsec installed sets the AppData environment variable to a directory they control, then triggers the code path that spawns parsecd.exe as NT AUTHORITY\SYSTEM. The SYSTEM process resolves attacker-controlled paths from that AppData value, letting the user execute code or load resources as SYSTEM and take over the machine. … |
| Remediation | Vendor-released patch: Parsec for Windows version 150-104a - upgrade every Windows host running Parsec to this build or later, per the vendor advisory at https://support.parsec.app/hc/en-us/articles/50612943726612-CVE-2026-54424. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Parsec for Windows deployments running builds through v2026-05-04.0 and restrict local login access to trusted administrators. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.
In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin
Unity Parsec has a TOCTOU race condition that permits local attackers to escalate privileges to SYSTEM if Parsec was ins
Same weakness CWE-648 – Incorrect Use of Privileged APIs
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41655
GHSA-f445-7g93-34v9