CVE-2026-33145

Source
https://cve.org/CVERecord?id=CVE-2026-33145
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33145.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33145
Aliases
  • GHSA-rmvv-7633-fg7h
Downstream
Related
Published
2026-04-17T20:14:14.048Z
Modified
2026-07-15T01:49:19.796470224Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
xrdp: Authenticated RCE via unsanitized AlternateShell execution in xrdp-sesman
Details

xrdp is an open source RDP server. Versions through 0.10.5 allow an authenticated remote user to execute arbitrary commands on the server due to unsafe handling of the AlternateShell parameter in xrdp-sesman. When the AllowAlternateShell setting is enabled (which is the default when not explicitly configured), xrdp accepts a client-supplied AlternateShell value and executes it via /bin/sh -c during session initialization. This results in shell-interpreted execution of unsanitized, user-controlled input. This behavior effectively provides a scriptable remote command execution primitive over RDP within the security context of the authenticated user, occurring prior to normal window manager startup. This can bypass expected session initialization flows and operational assumptions that restrict execution to interactive desktop environments. This issue has been fixed in version 0.10.6.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33145.json",
    "cwe_ids": [
        "CWE-78"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/neutrinolabs/xrdp

Affected ranges

Type
GIT
Repo
https://github.com/neutrinolabs/xrdp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.10.6"
        }
    ]
}

Affected versions

v0.*
v0.10.0
v0.10.0-beta.1
v0.10.0-beta.2
v0.10.0-beta.3
v0.10.1
v0.10.2
v0.10.2-rc.1
v0.10.3
v0.10.4
v0.10.4.1
v0.10.5
v0.9.10
v0.9.11
v0.9.12
v0.9.13
v0.9.14
v0.9.15
v0.9.16
v0.9.17
v0.9.18
v0.9.2
v0.9.3
v0.9.3.rc1
v0.9.4
v0.9.4.rc1
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33145.json"