CVE-2026-41477— deskflow 访问控制错误漏洞

Deskflow: Local privilege escalation via unauthenticated IPC

Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user to execute arbitrary commands as SYSTEM. Affects both stable v1.20.0 + and Continuous v1.26.0.134 prerelease.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

关键功能的认证机制缺失

deskflow 访问控制错误漏洞

deskflow是Deskflow开源的一款跨设备键盘鼠标共享工具。 deskflow 1.20.0版本、1.26.0.134版本及之前版本存在访问控制错误漏洞，该漏洞源于Deskflow守护程序以SYSTEM身份运行并暴露启用了WorldAccessOption的IPC命名管道，允许任何本地非特权用户以SYSTEM身份执行任意命令。

N/A

N/A