CVE-2026-53694: Potential local privileges escalation through argument injection in the nxchmod.sh script
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Nomachine allows Argument Injection.This issue affects Nomachine: before 9.5.7, before 8.23.2.
Metrics
- CVSS v4.0
- 7.3
- Severity
- HIGH
- Fixed in
- 8.23.2
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An argument injection vulnerability in NoMachine's nxchmod.sh script allows a local attacker with a low-privilege account to escalate privileges on the host. The vulnerability is reachable locally and requires no interaction from any other user, based on the CVSS vector (AV:L, PR:L, UI:N). Successful exploitation gives the attacker full read, write, and denial-of-service capability over the affected system. Patched-image rebuilds at versions 8.23.2 and 9.5.7 are available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-53694 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle NoMachine. Coverage applies to both the 8.x and 9.x affected version ranges.
AvailableHarborGuard scores this finding at CVSS 7.3 HIGH (v4.0) and is capable of weighting that score against each customer environment's compliance policy to determine urgency. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at NoMachine versions 8.23.2 or 9.5.7 is available on HarborGuard for any environment found running an affected image. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; no elevated or administrative credentials are needed to trigger the injection.
- Victim interactionNot required
No action from another user or administrator is needed; the attacker can exploit the flaw entirely on their own.
- Attack complexityDetail
Attack complexity is low overall, though the AT:P token indicates specific target conditions or configuration states must be present on the host for the exploit to succeed.
Blast Radius
- Reads sensitive files and data accessible on the host, including credentials, configuration, and session material.
- Modifies or overwrites files and system state on the host, enabling persistence or sabotage of running services.
- Crashes or disrupts the affected NoMachine service or other host processes, causing a denial of service.
- Because scope is confined to the local system (SC:N, SI:N, SA:N), impact does not propagate to adjacent container or network resources beyond the compromised host.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of advisory ingestion and is matched against all customer images containing affected NoMachine versions across both the 8.x and 9.x branches. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the fixed version (8.23.2 or 9.5.7), runs regression tests, and opens a pull request against affected workloads; for HIGH-severity findings, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image is staged and the finding is surfaced in the triage queue with full CVSS v4.0 context for engineer review.
Fix available
- NoMachine / NoMachine< 9.5.7 (from 0) · < 8.23.2 (from 0)
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N