CVE-2026-5055
Uncontrolled Search Path Vulnerability in NoMachine Device Server Enables Local Privilege Escalation
Publication date: 2026-04-11
Last updated on: 2026-04-15
Assigner: Zero Day Initiative
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nomachine | nomachine | to 9.4.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5055 is a local privilege escalation vulnerability in NoMachine's Device Server component. The flaw occurs because the product loads a library from an unsecured location, which is an uncontrolled search path element.
An attacker must first have the ability to execute low-privileged code on the target system to exploit this vulnerability. Once exploited, the attacker can escalate their privileges to the SYSTEM level and execute arbitrary code with full system privileges.
How can this vulnerability impact me? :
This vulnerability allows an attacker who already has low-level access to escalate their privileges to the highest system level (SYSTEM).
With SYSTEM privileges, the attacker can execute arbitrary code, potentially compromising the confidentiality, integrity, and availability of the affected system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that only trusted users have the ability to execute low-privileged code on the system, as exploitation requires such access.
Additionally, apply any available patches or updates from NoMachine that address the uncontrolled search path element in the Device Server component.
Restrict permissions on directories and libraries used by NoMachine Device Server to prevent loading of malicious libraries from unsecured locations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows local attackers to escalate privileges to SYSTEM level and execute arbitrary code, which can lead to a high impact on confidentiality, integrity, and availability of the affected system.
Such a compromise could potentially result in unauthorized access to sensitive data, which may affect compliance with standards and regulations like GDPR and HIPAA that require protection of personal and health information.
However, the provided information does not explicitly state the direct impact on compliance with these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a local privilege escalation issue in the NoMachine Device Server caused by an uncontrolled search path element. Detection involves verifying if the NoMachine Device Server is installed and checking for insecure library loading paths.
Since exploitation requires local code execution, detection commands should focus on identifying the presence of the vulnerable NoMachine Device Server and inspecting its library load paths.
- Check if NoMachine Device Server is installed: `dpkg -l | grep nomachine` (on Debian-based systems) or `rpm -qa | grep nomachine` (on RPM-based systems).
- Identify the running NoMachine Device Server process: `ps aux | grep nxserver`.
- Use `ldd` on the NoMachine Device Server binary to list loaded libraries and check for any loaded from insecure or unexpected locations.
- Monitor for suspicious local code execution or privilege escalation attempts by reviewing system logs such as `/var/log/auth.log` or `/var/log/secure`.
Note that no specific detection commands are provided in the available resources, so these suggestions are based on typical methods to detect uncontrolled search path vulnerabilities and local privilege escalation attempts.