Main Vulnerability Database Vulnerabilities #VU126460

Command injection in xrdp - CVE-2026-33145

Published: April 17, 2026

Vulnerability identifier: #VU126460

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33145

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: neutrinolabs

Affected software:
xrdp

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary commands on the server.

The vulnerability exists due to command injection in xrdp-sesman when processing a client-supplied AlternateShell value during session initialization. A remote user can supply a crafted AlternateShell value to execute arbitrary commands on the server.

The issue occurs when the AllowAlternateShell setting is enabled, which is the default if not explicitly configured, and command execution happens prior to normal window manager startup.

How to mitigate CVE-2026-33145

Install security update from vendor's website.

Sources

https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rmvv-7633-fg7h

Command injection in xrdp - CVE-2026-33145

Detailed vulnerability description

How to mitigate CVE-2026-33145

Sources

Please verify you're human