Description
An Incorrect Use of Privileged APIs vulnerability in Unity Parsec on Windows hosts leads to a potential Elevation of Privilege. This issue affects Parsec through v2026-05-04.0. The patched version is Parsec for Windows version 150-104a. A user can generate a situation where there is an instance of parsecd.exe running as NT AUTHORITY\SYSTEM with a user-controlled value of the AppData environment variable.
Published: 2026-07-04
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Incorrect Use of Privileged APIs in Unity Parsec's Windows implementation, discovered in version v2026-05-04.0 and earlier. It allows a local user to craft a parsecd.exe instance that runs with the SYSTEM account by manipulating the AppData environment variable. This flaw leads to an Elevation of Privilege, granting the attacker system‑level access on the affected host.

Affected Systems

Affected are all Windows clients of Unity Parsec up to version 150-104a, including all builds released before the patched release. Any installations using parsecd.exe on a Windows host that have not been upgraded to at least 150-104a are susceptible.

Risk and Exploitability

The CVSS score of 8.4 marks this as a high‑severity issue, but its EPSS score is not available and it is not listed in CISA’s KEV catalog. Exploitation requires a local attacker to influence the AppData environment variable; therefore the attack vector is local user privilege escalation. A successful exploitation would grant SYSTEM privileges, allowing the attacker to execute arbitrary code, install malware, modify system configuration, and bypass all Windows security controls.

Generated by OpenCVE AI on July 4, 2026 at 08:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Unity Parsec to version 150-104a or later.
  • If an upgrade cannot be performed immediately, restrict write access to the AppData directory and monitor environment variables for unexpected values that could influence parsecd.exe.
  • Apply least‑privilege principles by running Parsec under a standard user account and consider sandboxing or containerization to isolate it from system resources.

Generated by OpenCVE AI on July 4, 2026 at 08:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 08:45:00 +0000

Type Values Removed Values Added
Title Parsec Windows Elevation of Privilege via Incorrect Use of Privileged APIs

Sat, 04 Jul 2026 01:00:00 +0000

Type Values Removed Values Added
Description An Incorrect Use of Privileged APIs vulnerability in Unity Parsec on Windows hosts leads to a potential Elevation of Privilege. This issue affects Parsec through v2026-05-04.0. The patched version is Parsec for Windows version 150-104a. A user can generate a situation where there is an instance of parsecd.exe running as NT AUTHORITY\SYSTEM with a user-controlled value of the AppData environment variable.
First Time appeared Unity
Unity parsec
Weaknesses CWE-648
CPEs cpe:2.3:a:unity:parsec:*:*:*:*:*:*:*:*
Vendors & Products Unity
Unity parsec
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-07-04T00:45:24.208Z

Reserved: 2026-06-14T04:15:58.932Z

Link: CVE-2026-54424

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-04T08:30:04Z

Weaknesses
  • CWE-648

    Incorrect Use of Privileged APIs