CVE-2026-41477

Source
https://cve.org/CVERecord?id=CVE-2026-41477
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41477.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41477
Aliases
  • GHSA-6rx5-g478-775c
Published
2026-04-24T19:50:21.665Z
Modified
2026-07-08T08:13:14.752883302Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Deskflow: Local privilege escalation via unauthenticated IPC
Details

Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user to execute arbitrary commands as SYSTEM. Affects both stable v1.20.0 + and Continuous v1.26.0.134 prerelease.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41477.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-306",
        "CWE-862"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "1.26.0.134"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/deskflow/deskflow

Affected ranges

Type
GIT
Repo
https://github.com/deskflow/deskflow
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.20.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v1.*
v1.17.0
v1.17.1
v1.17.2
v1.18.0
v1.19.0
v1.20.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41477.json"