CVE-2026-41477 | THREATINT

Description

Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user to execute arbitrary commands as SYSTEM. Affects both stable v1.20.0 + and Continuous v1.26.0.134 prerelease.

PUBLISHED Reserved 2026-04-20 | Published 2026-04-24 | Updated 2026-04-28 | Assigner GitHub_M

HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-306: Missing Authentication for Critical Function

CWE-862: Missing Authorization

Product status

<= 1.26.0.134

affected

<= 1.20.0

affected

References

github.com/...skflow/security/advisories/GHSA-6rx5-g478-775c exploit

github.com/...skflow/security/advisories/GHSA-6rx5-g478-775c

cve.org (CVE-2026-41477)

nvd.nist.gov (CVE-2026-41477)

Download JSON