CVE-2026-33145
Received Received - Intake
Remote Code Execution in xrdp via AlternateShell Parameter

Publication date: 2026-04-17

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
xrdp is an open source RDP server. Versions through 0.10.5 allow an authenticated remote user to execute arbitrary commands on the server due to unsafe handling of the AlternateShell parameter in xrdp-sesman. When the AllowAlternateShell setting is enabled (which is the default when not explicitly configured), xrdp accepts a client-supplied AlternateShell value and executes it via /bin/sh -c during session initialization. This results in shell-interpreted execution of unsanitized, user-controlled input. This behavior effectively provides a scriptable remote command execution primitive over RDP within the security context of the authenticated user, occurring prior to normal window manager startup. This can bypass expected session initialization flows and operational assumptions that restrict execution to interactive desktop environments. This issue has been fixed in version 0.10.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33145
EUVD
EUVD-2026-23510
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
neutrinolabs xrdp to 0.10.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in xrdp, an open source RDP server, in versions through 0.10.5. It allows an authenticated remote user to execute arbitrary commands on the server because of unsafe handling of the AlternateShell parameter in xrdp-sesman.

When the AllowAlternateShell setting is enabled (which is the default if not explicitly configured), xrdp accepts a client-supplied AlternateShell value and executes it via /bin/sh -c during session initialization. This means that unsanitized, user-controlled input is executed as a shell command.

This behavior provides a scriptable remote command execution capability over RDP within the security context of the authenticated user, occurring before the normal window manager starts. It can bypass expected session initialization flows and assumptions that restrict execution to interactive desktop environments.

The issue was fixed in version 0.10.6.

Impact Analysis

This vulnerability can allow an authenticated remote user to execute arbitrary commands on the affected server with the privileges of the authenticated user.

Because the commands are executed before the normal desktop environment starts, it can bypass security controls or operational assumptions that expect execution only within an interactive desktop session.

This could lead to unauthorized actions such as data manipulation, privilege escalation (depending on user privileges), or disruption of normal server operations.

Mitigation Strategies

To mitigate this vulnerability, upgrade xrdp to version 0.10.6 or later where the issue has been fixed.

Alternatively, disable the AllowAlternateShell setting in the xrdp configuration to prevent execution of client-supplied AlternateShell commands.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33145. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart