CVE-2026-41477

Published: Apr 24, 2026Modified: Apr 28, 2026

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: security-advisories@github.com (Secondary)

Description

Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user to execute arbitrary commands as SYSTEM. Affects both stable v1.20.0 + and Continuous v1.26.0.134 prerelease.

Affected (1)

Products: Deskflow: Deskflow

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Deskflow Deskflow	From 1.20.0 to 1.26.0.161

Related CWEs

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://github.com/deskflow/deskflow/security/advisories/GHSA-6rx5-g478-775c

Source: security-advisories@github.com

ExploitPatchVendor Advisory

https://github.com/deskflow/deskflow/security/advisories/GHSA-6rx5-g478-775c

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitPatchVendor Advisory

Timeline

No history available yet.