Nixpkgs security tracker

Permalink CVE-2026-41477

7.8 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 2 days, 12 hours ago by @LeSuisse Activity log

Created suggestion 4 days, 18 hours ago
@LeSuisse dismissed 2 days, 12 hours ago

Deskflow: Local privilege escalation via unauthenticated IPC

Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user to execute arbitrary commands as SYSTEM. Affects both stable v1.20.0 + and Continuous v1.26.0.134 prerelease.

References

https://github.com/deskflow/deskflow/security/advisories/GHSA-6rx5-g478-775c x_refsource_CONFIRM

Affected products

deskflow

==<= 1.20.0
==<= 1.26.0.134

Matching in nixpkgs

pkgs.deskflow

Share one mouse and keyboard between multiple computers on Windows, macOS and Linux

nixos-unstable 1.25.0
- nixpkgs-unstable 1.25.0
- nixos-unstable-small 1.25.0
nixos-25.11 1.24.0
- nixos-25.11-small 1.24.0
- nixpkgs-25.11-darwin 1.24.0

Package maintainers

@flacks Jean Lucas <jean@4ray.co>

Windows issue only

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.deskflow

Package maintainers