CVE-2026-5055: NoMachine Privilege Escalation Vulnerability

CVE-2026-5055 Overview

CVE-2026-5055 is an Uncontrolled Search Path Element vulnerability affecting NoMachine that enables local privilege escalation. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine by exploiting how the NoMachine Device Server loads libraries from an unsecured location. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the NoMachine Device Server component. By placing a malicious library in an unsecured path, an attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

Critical Impact
Local attackers with low-privileged access can escalate to SYSTEM-level privileges, enabling complete system compromise and arbitrary code execution with the highest Windows privileges.

Affected Products

NoMachine (all affected versions as per vendor advisory)
NoMachine Device Server component

Discovery Timeline

2026-04-11 - CVE-2026-5055 published to NVD
2026-04-15 - Last updated in NVD database

Technical Details for CVE-2026-5055

Vulnerability Analysis

This vulnerability is classified as CWE-427 (Uncontrolled Search Path Element), a category of security flaws where an application searches for and loads executable code or libraries from directories that may be under attacker control. In the case of NoMachine Device Server, the software loads a library from an unsecured location without proper validation of the library source.

The vulnerability requires local access with low-privileged user credentials as a prerequisite. Once an attacker has established this initial foothold, they can exploit the insecure library loading behavior to achieve privilege escalation to SYSTEM level. This represents a complete compromise of confidentiality, integrity, and availability on the affected system.

Root Cause

The root cause of CVE-2026-5055 stems from the NoMachine Device Server's failure to properly secure or validate the search path used when loading dynamic libraries. When the software attempts to load a required library, it searches directories in a specific order, and one or more of these directories can be manipulated by a low-privileged user. By placing a malicious library with an expected filename in such a directory, attackers can hijack the library loading process.

This type of vulnerability commonly occurs when:

The application does not use absolute paths for library loading
The DLL search order includes user-writable directories before secure system directories
Proper access controls are not enforced on directories in the search path

Attack Vector

The attack vector for CVE-2026-5055 is local, requiring the attacker to have existing access to the target system with the ability to execute low-privileged code. The exploitation workflow typically involves:

An attacker gains initial access to the target system with a low-privileged user account
The attacker identifies the vulnerable library loading behavior in the NoMachine Device Server
A malicious DLL is crafted with the expected library name and placed in an unsecured directory within the search path
When the NoMachine Device Server loads or restarts, it locates and loads the attacker's malicious library
The malicious code executes in the context of SYSTEM, providing the attacker with full administrative control

This vulnerability was tracked internally as ZDI-CAN-28494 before public disclosure. For additional technical details, refer to the Zero Day Initiative Advisory ZDI-26-249.

Detection Methods for CVE-2026-5055

Indicators of Compromise

Unexpected DLL files appearing in NoMachine installation directories or user-writable paths within the search order
Unusual process behavior from NoMachine Device Server (nxserver.exe or related processes)
Evidence of SYSTEM-level processes spawned by NoMachine components executing unexpected code
Modified file timestamps on legitimate NoMachine libraries or the presence of similarly-named DLL files

Detection Strategies

Monitor for DLL file creation events in directories commonly used by NoMachine and within the Windows DLL search path
Implement application whitelisting to detect unauthorized libraries being loaded by NoMachine processes
Use endpoint detection and response (EDR) solutions like SentinelOne to identify anomalous library loading behavior and privilege escalation attempts
Enable Windows Security Event logging for process creation (Event ID 4688) and audit object access to track suspicious file operations

Monitoring Recommendations

Configure SentinelOne agents to alert on suspicious DLL side-loading activities targeting NoMachine processes
Establish baseline behavior for NoMachine Device Server processes and alert on deviations
Monitor for new files created in NoMachine installation directories by non-administrative users
Implement integrity monitoring on critical NoMachine directories to detect unauthorized modifications

How to Mitigate CVE-2026-5055

Immediate Actions Required

Review NoMachine installations and ensure they are updated to the latest patched version when available from the vendor
Restrict write access to NoMachine installation directories and any directories in the library search path to administrators only
Implement application control policies to prevent unauthorized DLL execution
Deploy SentinelOne Singularity Platform to detect and block privilege escalation attempts targeting this vulnerability

Patch Information

Organizations should monitor NoMachine for official security patches addressing CVE-2026-5055. Refer to the Zero Day Initiative Advisory ZDI-26-249 for the latest information on vendor response and patch availability.

Workarounds

Apply strict file system permissions to ensure only administrators can write to directories in the NoMachine library search path
Use Windows Group Policy to enforce DLL search order restrictions via the SafeDllSearchMode registry setting
Consider restricting NoMachine service execution to dedicated, hardened systems with minimal user access
Implement application whitelisting solutions to prevent unauthorized library loading

bash

# Verify and restrict permissions on NoMachine installation directory (PowerShell)
# Ensure only SYSTEM and Administrators have write access
icacls "C:\Program Files\NoMachine" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Administrators:(OI)(CI)F" /grant:r "Users:(OI)(CI)RX"

CVE-2026-5055 Overview

Critical Impact
Local attackers with low-privileged access can escalate to SYSTEM-level privileges, enabling complete system compromise and arbitrary code execution with the highest Windows privileges.

Affected Products

NoMachine (all affected versions as per vendor advisory)
NoMachine Device Server component

Discovery Timeline

2026-04-11 - CVE-2026-5055 published to NVD
2026-04-15 - Last updated in NVD database

Technical Details for CVE-2026-5055

Vulnerability Analysis

Root Cause

This type of vulnerability commonly occurs when:

The application does not use absolute paths for library loading
The DLL search order includes user-writable directories before secure system directories
Proper access controls are not enforced on directories in the search path

Attack Vector

An attacker gains initial access to the target system with a low-privileged user account
The attacker identifies the vulnerable library loading behavior in the NoMachine Device Server
A malicious DLL is crafted with the expected library name and placed in an unsecured directory within the search path
When the NoMachine Device Server loads or restarts, it locates and loads the attacker's malicious library
The malicious code executes in the context of SYSTEM, providing the attacker with full administrative control

This vulnerability was tracked internally as ZDI-CAN-28494 before public disclosure. For additional technical details, refer to the Zero Day Initiative Advisory ZDI-26-249.

Detection Methods for CVE-2026-5055

Indicators of Compromise

Unexpected DLL files appearing in NoMachine installation directories or user-writable paths within the search order
Unusual process behavior from NoMachine Device Server (nxserver.exe or related processes)
Evidence of SYSTEM-level processes spawned by NoMachine components executing unexpected code
Modified file timestamps on legitimate NoMachine libraries or the presence of similarly-named DLL files

Detection Strategies

Monitor for DLL file creation events in directories commonly used by NoMachine and within the Windows DLL search path
Implement application whitelisting to detect unauthorized libraries being loaded by NoMachine processes
Use endpoint detection and response (EDR) solutions like SentinelOne to identify anomalous library loading behavior and privilege escalation attempts
Enable Windows Security Event logging for process creation (Event ID 4688) and audit object access to track suspicious file operations

Monitoring Recommendations

Configure SentinelOne agents to alert on suspicious DLL side-loading activities targeting NoMachine processes
Establish baseline behavior for NoMachine Device Server processes and alert on deviations
Monitor for new files created in NoMachine installation directories by non-administrative users
Implement integrity monitoring on critical NoMachine directories to detect unauthorized modifications

How to Mitigate CVE-2026-5055

Immediate Actions Required

Review NoMachine installations and ensure they are updated to the latest patched version when available from the vendor
Restrict write access to NoMachine installation directories and any directories in the library search path to administrators only
Implement application control policies to prevent unauthorized DLL execution
Deploy SentinelOne Singularity Platform to detect and block privilege escalation attempts targeting this vulnerability

Patch Information

Workarounds

Apply strict file system permissions to ensure only administrators can write to directories in the NoMachine library search path
Use Windows Group Policy to enforce DLL search order restrictions via the SafeDllSearchMode registry setting
Consider restricting NoMachine service execution to dedicated, hardened systems with minimal user access
Implement application whitelisting solutions to prevent unauthorized library loading

bash

# Verify and restrict permissions on NoMachine installation directory (PowerShell)
# Ensure only SYSTEM and Administrators have write access
icacls "C:\Program Files\NoMachine" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Administrators:(OI)(CI)F" /grant:r "Users:(OI)(CI)RX"

CVE-2026-5055: NoMachine Privilege Escalation Vulnerability

CVE-2026-5055 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-5055

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-5055

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-5055

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-5055: NoMachine Privilege Escalation Vulnerability

CVE-2026-5055 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-5055

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-5055

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-5055

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform