CVE-2026-5053

# Proof of Concept (PoC) for CVE-2026-5053 # This script demonstrates how an attacker might leverage the environment variable # handling flaw to trigger arbitrary file deletion in NoMachine. import os # The specific environment variable name depends on the vulnerable NoMachine component # For demonstration purposes, we assume a hypothetical variable 'NX_TEMP_DIR'. VULNERABLE_ENV_VAR = "NX_TEMP_DIR" TARGET_FILE_TO_DELETE = "/tmp/sensitive_config.txt" print(f"[*] Attempting to exploit CVE-2026-5053 via environment variable manipulation") print(f"[*] Target file for deletion: {TARGET_FILE_TO_DELETE}") # Step 1: Create a dummy target file to simulate the scenario with open(TARGET_FILE_TO_DELETE, 'w') as f: f.write("This is a sensitive file that should not be deleted.") # Step 2: Set the malicious environment variable # The vulnerability allows controlling the path. In a real exploit, this might # point to a directory where the application performs cleanup operations. # Here we simulate the path traversal/control. malicious_path = os.path.dirname(TARGET_FILE_TO_DELETE) os.environ[VULNERABLE_ENV_VAR] = malicious_path print(f"[*] Set environment variable {VULNERABLE_ENV_VAR}={malicious_path}") # Step 3: Trigger the vulnerable NoMachine process # Note: Actual exploitation requires triggering the specific binary or service # that reads the environment variable and performs the file operation. # This is a simulation of the application logic flaw. print("[*] Triggering vulnerable process (Simulation)...") if os.path.exists(TARGET_FILE_TO_DELETE): # Simulating the flawed logic: unlinking files in the user-controlled path os.remove(TARGET_FILE_TO_DELETE) print(f"[+] Success: {TARGET_FILE_TO_DELETE} has been deleted (simulated)") else: print("[-] File not found.")

{"cve": {"id": "CVE-2026-5053", "sourceIdentifier": "[email protected]", "published": "2026-04-11T01:16:17.757", "lastModified": "2026-04-15T18:43:05.060", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NoMachine External Control of File Path Arbitrary File Deletion Vulnerability. This vulnerability allows local attackers to delete arbitrary files on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the handling of environment variables. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of root. Was ZDI-CAN-28644."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-73"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nomachine:nomachine:*:*:*:*:*:*:*:*", "versionEndExcluding": "9.4.14", "matchCriteriaId": "99ABF7D0-787B-4153-8F4F-53F5B59609B4"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-247/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}