CVE-2026-33145
Received Received - Intake

Remote Code Execution in xrdp via AlternateShell Parameter

Vulnerability report for CVE-2026-33145, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-17

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description

xrdp is an open source RDP server. Versions through 0.10.5 allow an authenticated remote user to execute arbitrary commands on the server due to unsafe handling of the AlternateShell parameter in xrdp-sesman. When the AllowAlternateShell setting is enabled (which is the default when not explicitly configured), xrdp accepts a client-supplied AlternateShell value and executes it via /bin/sh -c during session initialization. This results in shell-interpreted execution of unsanitized, user-controlled input. This behavior effectively provides a scriptable remote command execution primitive over RDP within the security context of the authenticated user, occurring prior to normal window manager startup. This can bypass expected session initialization flows and operational assumptions that restrict execution to interactive desktop environments. This issue has been fixed in version 0.10.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-17
Last Modified
2026-04-27
Generated
2026-07-06
AI Q&A
2026-04-18
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
neutrinolabs xrdp to 0.10.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in xrdp, an open source RDP server, in versions through 0.10.5. It allows an authenticated remote user to execute arbitrary commands on the server because of unsafe handling of the AlternateShell parameter in xrdp-sesman.

When the AllowAlternateShell setting is enabled (which is the default if not explicitly configured), xrdp accepts a client-supplied AlternateShell value and executes it via /bin/sh -c during session initialization. This means that unsanitized, user-controlled input is executed as a shell command.

This behavior provides a scriptable remote command execution capability over RDP within the security context of the authenticated user, occurring before the normal window manager starts. It can bypass expected session initialization flows and assumptions that restrict execution to interactive desktop environments.

The issue was fixed in version 0.10.6.

Impact Analysis

This vulnerability can allow an authenticated remote user to execute arbitrary commands on the affected server with the privileges of the authenticated user.

Because the commands are executed before the normal desktop environment starts, it can bypass security controls or operational assumptions that expect execution only within an interactive desktop session.

This could lead to unauthorized actions such as data manipulation, privilege escalation (depending on user privileges), or disruption of normal server operations.

Mitigation Strategies

To mitigate this vulnerability, upgrade xrdp to version 0.10.6 or later where the issue has been fixed.

Alternatively, disable the AllowAlternateShell setting in the xrdp configuration to prevent execution of client-supplied AlternateShell commands.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33145. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart