Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
NoMachine: Local Attackers Can Delete Files on Your System
CVE-2026-5053
Summary
An attacker with some privileges on a system with NoMachine installed can delete any file they choose, potentially causing data loss. This is a concern because sensitive files could be deleted, and it's essential to patch or upgrade to a fixed version of NoMachine as soon as possible.
Original title
NoMachine External Control of File Path Arbitrary File Deletion Vulnerability. This vulnerability allows local attackers to delete arbitrary files on affected installations of NoMachine. An attacke...
Original description
NoMachine External Control of File Path Arbitrary File Deletion Vulnerability. This vulnerability allows local attackers to delete arbitrary files on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of environment variables. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of root. Was ZDI-CAN-28644.
The specific flaw exists within the handling of environment variables. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of root. Was ZDI-CAN-28644.
nvd CVSS3.0
7.1
Vulnerability type
CWE-73
Published: 11 Apr 2026 · Updated: 11 Apr 2026 · First seen: 11 Apr 2026