CVE-2026-23572 Overview
CVE-2026-23572 is a high-severity improper access control vulnerability affecting TeamViewer Full and Host clients across Windows, macOS, and Linux platforms. The vulnerability allows an authenticated user to bypass additional access controls when the "Allow after confirmation" configuration is enabled during a remote session. Successful exploitation could result in unauthorized access prior to local confirmation by the session host.
This vulnerability requires authentication for the remote session via ID/password, Session Link, or Easy Access as a prerequisite to exploit, which somewhat limits the attack surface but still poses significant risk in enterprise environments where TeamViewer is commonly deployed for remote support.
Critical Impact
Authenticated attackers can bypass confirmation-based access controls in TeamViewer remote sessions, potentially gaining unauthorized access to sensitive systems before the host user can review and approve the connection.
Affected Products
- TeamViewer Full Client (Windows) prior to version 15.74.5
- TeamViewer Full Client (macOS) prior to version 15.74.5
- TeamViewer Full Client (Linux) prior to version 15.74.5
- TeamViewer Host Client (Windows) prior to version 15.74.5
- TeamViewer Host Client (macOS) prior to version 15.74.5
- TeamViewer Host Client (Linux) prior to version 15.74.5
Discovery Timeline
- 2026-02-05 - CVE-2026-23572 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-23572
Vulnerability Analysis
This vulnerability is classified under CWE-863 (Incorrect Authorization), which occurs when software performs an authorization check but does not correctly verify whether the actor has the privileges to access the resource. In the context of TeamViewer, the "Allow after confirmation" security feature is designed to require explicit approval from the host user before a remote session gains elevated access. However, this implementation contains a flaw that permits authenticated remote users to bypass this confirmation mechanism.
The attack requires network access and high privileges on the attacker's side, but does not require user interaction on the victim's end once the initial authentication is complete. The vulnerability affects confidentiality, integrity, and availability of the target system, as an attacker who bypasses the confirmation control could potentially view sensitive data, modify files, or disrupt system operations.
Root Cause
The root cause of CVE-2026-23572 lies in improper access control validation within TeamViewer's session management logic. When the "Allow after confirmation" option is configured, the client should enforce a strict check that prevents any privileged operations until the local user explicitly approves the request. However, due to a flaw in how this authorization check is implemented, certain operations or session escalations can proceed without the required confirmation, effectively circumventing the security control.
Attack Vector
The attack vector for this vulnerability is network-based, requiring the attacker to first authenticate to a TeamViewer session through one of the supported methods (ID/password, Session Link, or Easy Access). Once authenticated, the attacker can exploit the improper access control to bypass the confirmation requirement.
The exploitation flow involves establishing a legitimate remote session with valid credentials, then performing actions that should trigger the confirmation prompt but instead execute without host approval. This could allow the attacker to gain access to restricted areas of the system or perform operations that the host intended to review before allowing.
For detailed technical information regarding exploitation patterns and indicators, refer to the TeamViewer Security Bulletin TV-2026-1003.
Detection Methods for CVE-2026-23572
Indicators of Compromise
- Unexpected TeamViewer remote sessions established without corresponding confirmation prompts in application logs
- TeamViewer connection logs showing session escalations that did not trigger the expected confirmation workflow
- Evidence of file access or system modifications occurring during remote sessions where the host user did not approve elevated access
- Anomalous remote session activity patterns, particularly rapid escalation from basic to elevated access
Detection Strategies
- Monitor TeamViewer log files (typically located in %appdata%\TeamViewer\ on Windows) for session events that indicate bypassed confirmation requirements
- Implement endpoint detection rules to alert on TeamViewer sessions that gain elevated access without corresponding confirmation events
- Deploy SentinelOne Singularity Platform to detect and respond to unauthorized remote access attempts and anomalous TeamViewer behavior
- Correlate network connection logs with TeamViewer session logs to identify potential exploitation attempts
Monitoring Recommendations
- Enable verbose logging in TeamViewer to capture detailed session activity for forensic analysis
- Configure SIEM rules to alert on TeamViewer sessions from unexpected geographic locations or outside business hours
- Monitor for TeamViewer client versions below 15.74.5 across the enterprise environment
- Implement real-time alerting for any bypass of confirmation-based security controls
How to Mitigate CVE-2026-23572
Immediate Actions Required
- Update all TeamViewer Full and Host clients to version 15.74.5 or later immediately
- Conduct an inventory of all TeamViewer installations across the organization to identify vulnerable versions
- Review TeamViewer session logs for any suspicious activity that may indicate prior exploitation
- Consider temporarily disabling TeamViewer on critical systems until patches can be applied
Patch Information
TeamViewer has released version 15.74.5 to address this vulnerability. Organizations should prioritize updating all affected clients across Windows, macOS, and Linux environments. The security patch corrects the improper access control logic to ensure the "Allow after confirmation" feature functions as intended.
For official patch details and download links, refer to the TeamViewer Security Bulletin TV-2026-1003.
Workarounds
- Temporarily disable the "Allow after confirmation" feature and require manual presence for all remote sessions until the patch is applied
- Implement network-level restrictions to limit TeamViewer connections to trusted IP ranges only
- Enable two-factor authentication for TeamViewer accounts to add an additional layer of security
- Consider using allowlists to restrict which accounts can initiate remote sessions to your systems
# Configuration example - Check TeamViewer version on Linux
teamviewer --version
# Expected output should be 15.74.5 or higher
# On Windows, check via PowerShell
Get-ItemProperty "HKLM:\SOFTWARE\TeamViewer" | Select-Object Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
