CVE-2026-5055: NoMachine Local Privilege Escalation Vulnerability Patched in Version 9.4.14
A local privilege escalation vulnerability in NoMachine, tracked as CVE-2026-5055, allows attackers with low-privileged code execution to gain SYSTEM access via an uncontrolled search path element.
A local privilege escalation vulnerability in NoMachine, tracked as CVE-2026-5055, allows attackers with low-privileged code execution to gain SYSTEM access via an uncontrolled search path element. The flaw, reported by researcher khongtrang, was disclosed by Zero Day Initiative on March 30, 2026, as ZDI-26-249.
The vulnerability resides in the NoMachine Device Server component. The product loads a library from an unsecured location, enabling an attacker who already has low-privileged code execution on the target system to escalate privileges to SYSTEM. This is a classic uncontrolled search path element weakness (CWE-427), where the application searches multiple locations for a resource, and an attacker can place a malicious library in an earlier search path.
NoMachine is a popular remote desktop software used by enterprises and individuals for remote access and administration. The vulnerability affects all versions prior to 9.4.14. Given the widespread deployment of NoMachine, the flaw poses a significant risk, especially in corporate environments where local privilege escalation can lead to full system compromise.
NoMachine has released version 9.4.14 to address the issue, as detailed in their knowledge base article SU03X00271. Users are strongly advised to update immediately. The CVSS score for this vulnerability is 7.8 (High), with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating low attack complexity and no user interaction required.
The disclosure timeline shows the vulnerability was reported to NoMachine on December 24, 2025, and the coordinated public release occurred on March 30, 2026. This is the first public advisory for this specific CVE, and no in-the-wild exploitation has been reported yet. However, given the ease of exploitation and the availability of details, administrators should prioritize patching.
This vulnerability highlights the ongoing challenge of privilege escalation flaws in remote access software, which are attractive targets for attackers seeking to move laterally within networks. Organizations using NoMachine should ensure that version 9.4.14 or later is deployed across all endpoints.