{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5055", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-03-27T18:06:08.827Z", "datePublished": "2026-04-11T00:14:25.877Z", "dateUpdated": "2026-04-14T03:55:48.016Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:14:25.877Z"}, "title": "NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability", "descriptions": [{"lang": "en", "value": "NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the NoMachine Device Server. The product loads a library from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-28494."}], "affected": [{"vendor": "NoMachine", "product": "NoMachine", "versions": [{"version": "9.2.18_1", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-427", "description": "CWE-427: Uncontrolled Search Path Element", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-249/", "name": "ZDI-26-249", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-27T18:06:08.850Z", "datePublic": "2026-03-30T19:45:53.272Z", "source": {"lang": "en", "value": "khongtrang"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-5055"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T03:55:48.016Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5055", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T16:15:37.816745Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:15:42.869Z"}}], "cna": {"title": "NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability", "source": {"lang": "en", "value": "khongtrang"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "NoMachine", "product": "NoMachine", "versions": [{"status": "affected", "version": "9.2.18_1"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-30T19:45:53.272Z", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-249/", "name": "ZDI-26-249", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-27T18:06:08.850Z", "descriptions": [{"lang": "en", "value": "NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the NoMachine Device Server. The product loads a library from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-28494."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427: Uncontrolled Search Path Element"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:14:25.877Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5055", "state": "PUBLISHED", "dateUpdated": "2026-04-14T03:55:48.016Z", "dateReserved": "2026-03-27T18:06:08.827Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2026-04-11T00:14:25.877Z", "assignerShortName": "zdi"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nomachine:nomachine:*:*:*:*:*:*:*:*", "matchCriteriaId": "99ABF7D0-787B-4153-8F4F-53F5B59609B4", "versionEndExcluding": "9.4.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the NoMachine Device Server. The product loads a library from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-28494."}], "id": "CVE-2026-5055", "lastModified": "2026-04-15T18:41:22.170", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-04-11T01:16:18.017", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-249/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "9.2.18_1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NoMachine", "source": "cna", "vendor": "NoMachine"}, "product": "nomachine", "vendor": "nomachine"}], "analysis": {"en": {"generated_at": "2026-04-11T02:27:10.943476+00:00", "value": {"mitigation_remediation": ["Apply the latest NoMachine patch or update to a version that fixes the library loading issue.", "If no patch is immediately available, ensure that the library path used by NoMachine is owned by a privileged account and has restrictive permissions to prevent untrusted users from placing malicious libraries there.", "Restrict local user shell access and monitor for suspicious library files in the NoMachine directories.", "Check NoMachine\u2019s vendor website or support channels for any interim advisories or configuration changes."], "summary": {"action": "Immediate Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is NoMachine, specifically the Device Server component. No version information is provided in the advisory, so the scope includes all installations that rely on the Device Server's library loading behavior.", "description_and_impact": "This vulnerability stems from the NoMachine Device Server loading a shared library from an uncontrolled, unsecured location. When a local attacker successfully injects a malicious library, the application runs the library with elevated privileges, allowing the attacker to execute arbitrary code as the SYSTEM account. Consequently, an attacker can gain full control over the affected system, compromising confidentiality, integrity, and availability. The weakness is characterized by uncontrolled search path element access, corresponding to CWE\u2011427.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity for local privilege escalation. Exploitation requires an attacker to have some level of code execution at a lower privilege first; from there the flaw permits escalation to SYSTEM. EPSS data is unavailable, so we cannot quantify the current risk of exploitation, but the lack of an official patch or workaround and the severity score suggest that administrators should treat it as a high risk. The vulnerability is not listed in CISA\u2019s KEV catalog, but the potential for full system takeover makes it a priority target for mitigation."}}}}, "created": "2026-04-13T12:42:19.234860+00:00", "updated": "2026-04-13T12:57:05.548059+00:00", "vendors": ["nomachine", "nomachine$PRODUCT$nomachine"]}