CVE-2026-5054: NoMachine Local Privilege Escalation Vulnerability Allows Root Escalation
A local privilege escalation vulnerability in NoMachine (CVE-2026-5054) allows attackers with low-privileged code execution to gain root access via improper file path validation.
A local privilege escalation vulnerability in NoMachine, tracked as CVE-2026-5054, has been disclosed by the Zero Day Initiative (ZDI-26-248). The flaw affects NoMachine versions prior to 9.4.14 and allows an attacker with low-privileged code execution on a target system to escalate privileges to root. The vulnerability carries a CVSS score of 7.8, reflecting its high impact on confidentiality, integrity, and availability.
The specific flaw resides in the handling of command line parameters. NoMachine fails to properly validate a user-supplied file path before using it in file operations. An attacker can exploit this by crafting a malicious path that, when processed by the vulnerable component, leads to arbitrary file operations with elevated privileges. This can be leveraged to execute arbitrary code in the context of root, effectively giving the attacker full control over the affected system.
NoMachine is a popular remote desktop and remote access software used by individuals and enterprises for secure connections to remote desktops and servers. The software runs on multiple platforms, including Windows, macOS, Linux, and various Unix-like systems. Given its widespread use in IT administration and remote work scenarios, a local privilege escalation vulnerability poses a significant risk, especially in multi-user environments where an attacker may already have limited access.
NoMachine addressed the vulnerability in version 9.4.14, released on March 30, 2026. The vendor's advisory is available at NoMachine KB SU03X00271. Users are strongly advised to update to the latest version immediately. The vulnerability was reported to NoMachine on February 6, 2026, and the coordinated public release of the advisory occurred on March 30, 2026.
While no active exploitation in the wild has been reported as of the advisory's publication, the detailed disclosure and the availability of a proof-of-concept exploit from ZDI increase the likelihood of attackers incorporating this vulnerability into their toolkits. Organizations using NoMachine should prioritize patching, especially on systems where users have limited user accounts exist and where privilege escalation could lead to broader compromise.
This disclosure adds to a growing list of local privilege escalation vulnerabilities in remote access in remote access software, highlighting the importance of rigorous input validation in command-line interfaces. The ZDI advisory credits an anonymous researcher for discovering the flaw.