CVE-2026-23571
Command Injection in TeamViewer DEX 1E-Nomad Component
Publication date: 2026-01-29
Last updated on: 2026-02-11
Assigner: TeamViewer Germany GmbH
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| teamviewer | digital_employee_experience | to 26.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in TeamViewer DEX, specifically in the 1E-Nomad-RunPkgStatusRequest instruction. It occurs because of improper input validation, allowing authenticated attackers with actioner privileges to execute elevated arbitrary commands on connected hosts by injecting malicious commands into the instruction's input field. Users with 1E Client version 24.5 or higher are not affected.
How can this vulnerability impact me? :
An attacker with actioner privileges could exploit this vulnerability to run arbitrary commands with elevated privileges on connected hosts. This could lead to unauthorized control over systems, data compromise, disruption of services, or further exploitation within the network.
What immediate steps should I take to mitigate this vulnerability?
Users should upgrade to 1E Client version 24.5 or higher, as these versions are not affected by the vulnerability.