Cyber Resilience

CVE-2026-41477

HighPublic PoC

Published: 24 April 2026

Published
24 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41477 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Deskflow Deskflow. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-41477 is a privilege escalation vulnerability in Deskflow, a keyboard and mouse sharing application. The issue affects stable version 1.20.0 and later, as well as Continuous prerelease version 1.26.0.134 and earlier. In these versions, the Deskflow daemon runs with SYSTEM privileges and exposes an IPC named pipe configured with WorldAccessOption enabled. This pipe allows the daemon to process privileged commands without any authentication, enabling local privilege escalation. The vulnerability is rated with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization).

A local unprivileged user can exploit this vulnerability by connecting to the exposed IPC named pipe and sending crafted privileged commands. No advanced skills or user interaction are required due to the low attack complexity and lack of authentication checks. Successful exploitation grants the attacker the ability to execute arbitrary commands with SYSTEM-level privileges, potentially leading to full system compromise, including high-impact confidentiality, integrity, and availability violations on the affected Windows host.

The vendor has published a security advisory detailing the issue at https://github.com/deskflow/deskflow/security/advisories/GHSA-6rx5-g478-775c, which provides guidance on mitigation and available patches. Security practitioners should consult this advisory for specific remediation steps, such as upgrading to a patched version or applying workarounds to restrict access to the IPC pipe.

EU & UK References

Vulnerability details

Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user to…

more

execute arbitrary commands as SYSTEM. Affects both stable v1.20.0 + and Continuous v1.26.0.134 prerelease.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is explicitly a local privilege escalation flaw in the Deskflow daemon's unauthenticated IPC named pipe, directly enabling an unprivileged local user to execute arbitrary commands as SYSTEM.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41476Same product: Deskflow Deskflow
CVE-2026-26160Shared CWE-306
CVE-2026-8547Shared CWE-862
CVE-2026-22172Shared CWE-862
CVE-2026-26159Shared CWE-306
CVE-2025-48574Shared CWE-862
CVE-2026-0026Shared CWE-862
CVE-2025-48578Shared CWE-862
CVE-2025-48634Shared CWE-862
CVE-2026-28193Shared CWE-862

Affected Assets

deskflow
deskflow
1.20.0 — 1.26.0.161

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Least privilege enforcement ensures the Deskflow daemon restricts privileged command execution via the IPC named pipe to only authorized entities, preventing local unprivileged user escalation to SYSTEM.

prevent

Access enforcement mechanisms block unauthorized local users from processing privileged commands through the exposed IPC named pipe lacking authentication.

prevent

Secure configuration settings disable WorldAccessOption on the Deskflow daemon's IPC named pipe, restricting access to authorized users only.

References