ZDI 2026-03-30

ZDI-26-248: NoMachine External Control of File Path Local Privilege Escalation Vulnerability

CVE-2026-5054

Machine-generated analysis · WAYSCloud LLM

The vulnerability involves external control of file paths in NoMachine, potentially allowing local privilege escalation.

Context

The affected product is NoMachine, a remote desktop software solution. The vulnerability is a local privilege escalation issue stemming from external control of file paths. An attacker must already have the ability to execute low-privileged code on the system to exploit this condition. The ZDI has rated the vulnerability with a CVSS score of 7.8.

Operator considerations

Check: Determine if NoMachine is installed and in use on the system.

From Zero Day Initiative ↗

This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-5054.

Read the full advisory on ZDI →