NoMachine Vulnerability CVE-2026-5053 Allows Local Attackers to Delete Arbitrary Files as Root
A vulnerability in NoMachine (CVE-2026-5053) allows local attackers to delete arbitrary files as root due to improper validation of a user-supplied path in environment variable handling.
A newly disclosed vulnerability in NoMachine, tracked as CVE-2026-5053 and published by the Zero Day Initiative (ZDI-26-247), allows local attackers to delete arbitrary files on affected installations. The flaw stems from improper validation of a user-supplied path in environment variable handling, enabling low-privileged code to delete files with root privileges.
The vulnerability exists within NoMachine's handling of environment variables. The specific issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Once achieved, the attacker can leverage this flaw to delete arbitrary files in the context of root, potentially causing system instability or data loss.
NoMachine is a popular remote desktop and virtualization software used by enterprises and individuals for remote access and virtual desktop infrastructure (VDI). The software runs on multiple platforms, including Windows, macOS, Linux, and mobile operating systems. The vulnerability affects all versions prior to 9.4.14, which could expose a wide range of users to potential attacks.
The vulnerability carries a CVSS score of 7.1, classified as high severity. The vector string (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) indicates that the attack requires local access and low privileges, but no user interaction. The impact is limited to integrity and availability, with no confidentiality impact. This scoring reflects the potential for significant potential for damage, as an attacker could delete critical system files, causing denial of service or system compromise.
NoMachine has released version 9.4.14 to address this vulnerability. Users are strongly advised to update their installations immediately. The vendor has provided a knowledge base article (https://kb.nomachine.com/SU03X00271) with details on the fix. The disclosure timeline shows that the vulnerability was reported to the vendor on February 6, 2026, and the coordinated public release of the advisory occurred on March 30, 2026.
The vulnerability was reported anonymously, and no in-the-wild exploitation has been confirmed at the time of disclosure. However, given the high severity and the potential for local privilege escalation, security researchers and system administrators should prioritize patching. This vulnerability highlights the ongoing risks associated with improper input validation in system-level software, particularly in remote access tools that often run with elevated privileges.