CVE-2026-41477
Published: 24 April 2026
Summary
CVE-2026-41477 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Deskflow Deskflow. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Least privilege enforcement ensures the Deskflow daemon restricts privileged command execution via the IPC named pipe to only authorized entities, preventing local unprivileged user escalation to SYSTEM.
Access enforcement mechanisms block unauthorized local users from processing privileged commands through the exposed IPC named pipe lacking authentication.
Secure configuration settings disable WorldAccessOption on the Deskflow daemon's IPC named pipe, restricting access to authorized users only.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is explicitly a local privilege escalation flaw in the Deskflow daemon's unauthenticated IPC named pipe, directly enabling an unprivileged local user to execute arbitrary commands as SYSTEM.
NVD Description
Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user to…
more
execute arbitrary commands as SYSTEM. Affects both stable v1.20.0 + and Continuous v1.26.0.134 prerelease.
Deeper analysisAI
CVE-2026-41477 is a privilege escalation vulnerability in Deskflow, a keyboard and mouse sharing application. The issue affects stable version 1.20.0 and later, as well as Continuous prerelease version 1.26.0.134 and earlier. In these versions, the Deskflow daemon runs with SYSTEM privileges and exposes an IPC named pipe configured with WorldAccessOption enabled. This pipe allows the daemon to process privileged commands without any authentication, enabling local privilege escalation. The vulnerability is rated with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization).
A local unprivileged user can exploit this vulnerability by connecting to the exposed IPC named pipe and sending crafted privileged commands. No advanced skills or user interaction are required due to the low attack complexity and lack of authentication checks. Successful exploitation grants the attacker the ability to execute arbitrary commands with SYSTEM-level privileges, potentially leading to full system compromise, including high-impact confidentiality, integrity, and availability violations on the affected Windows host.
The vendor has published a security advisory detailing the issue at https://github.com/deskflow/deskflow/security/advisories/GHSA-6rx5-g478-775c, which provides guidance on mitigation and available patches. Security practitioners should consult this advisory for specific remediation steps, such as upgrading to a patched version or applying workarounds to restrict access to the IPC pipe.
Details
- CWE(s)