Description
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Nomachine allows Argument Injection.This issue affects Nomachine: before 9.5.7, before 8.23.2.
Published: 2026-06-10
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of argument delimiters in the nxchmod.sh script allows Local Users to inject arguments into executed commands. The vulnerability can be leveraged by a compromised or local user to execute arbitrary shell commands as the machine’s root user, compromising confidentiality, integrity, and availability of the affected system. The weakness is an Argument Injection flaw classified under CWE-88.

Affected Systems

NoMachine software is affected, specifically all versions older than 9.5.7 and older than 8.23.2. Users running these releases are at risk until they upgrade to a non‑vulnerable version.

Risk and Exploitability

The CVSS score is 7.3, indicating high severity. EPSS information is currently unavailable, making it unclear how frequently this issue is being exploited in the wild, though the CVE is not listed in the CISA KEV catalog. The most likely attack vector is local, requiring an attacker to run code on the target machine, for example via scripts or local exploits. Once achieved, the attacker can gain full root privileges with the ability to modify system files, install malware, and maintain persistence.

Generated by OpenCVE AI on June 10, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NoMachine to version 9.5.7 or later, or 8.23.2 or later, depending on the current baseline.
  • Disable or restrict execution of the nxchmod.sh script from untrusted users by applying file permission changes or using security modules such as SELinux or AppArmor.
  • Monitor system logs for unexpected command execution patterns that may indicate an attempt to exploit this injection weakness.

Generated by OpenCVE AI on June 10, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Nomachine
Nomachine nomachine
Vendors & Products Nomachine
Nomachine nomachine

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Nomachine allows Argument Injection.This issue affects Nomachine: before 9.5.7, before 8.23.2.
Title Potential local privileges escalation through argument injection in the nxchmod.sh script
Weaknesses CWE-88
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nomachine Nomachine
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-10T16:08:09.832Z

Reserved: 2026-06-10T14:57:15.835Z

Link: CVE-2026-53694

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T16:17:17.093

Modified: 2026-06-10T16:17:17.093

Link: CVE-2026-53694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T17:45:21Z

Weaknesses