CVE-2026-33145: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in neutrinolabs xrdp
xrdp is an open source RDP server. Versions through 0.10.5 allow an authenticated remote user to execute arbitrary commands on the server due to unsafe handling of the AlternateShell parameter in xrdp-sesman. When the AllowAlternateShell setting is enabled (which is the default when not explicitly configured), xrdp accepts a client-supplied AlternateShell value and executes it via /bin/sh -c during session initialization. This results in shell-interpreted execution of unsanitized, user-controlled input. This behavior effectively provides a scriptable remote command execution primitive over RDP within the security context of the authenticated user, occurring prior to normal window manager startup. This can bypass expected session initialization flows and operational assumptions that restrict execution to interactive desktop environments. This issue has been fixed in version 0.10.6.
AI Analysis
Technical Summary
xrdp is an open source RDP server that, in versions through 0.10.5, improperly neutralizes special elements in the AlternateShell parameter, leading to OS command injection (CWE-78). When AllowAlternateShell is enabled, xrdp-sesman executes the client-supplied AlternateShell value unsafely via a shell command, allowing authenticated users to run arbitrary commands on the server. This execution happens during session initialization, prior to window manager startup, potentially bypassing session flow assumptions. The vulnerability is addressed in xrdp version 0.10.6.
Potential Impact
An authenticated remote user can execute arbitrary commands on the server with the privileges of the authenticated user. This can lead to unauthorized command execution and potential compromise of the server environment. The vulnerability affects confidentiality, integrity, and availability to a limited extent (CVSS 6.3, medium severity). No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade xrdp to version 0.10.6 or later, where this vulnerability is fixed. Since no official patch link or advisory is provided, verify the upgrade from the neutrinolabs official sources. Until upgraded, consider disabling the AllowAlternateShell setting to prevent exploitation.
CVE-2026-33145: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in neutrinolabs xrdp
Description
xrdp is an open source RDP server. Versions through 0.10.5 allow an authenticated remote user to execute arbitrary commands on the server due to unsafe handling of the AlternateShell parameter in xrdp-sesman. When the AllowAlternateShell setting is enabled (which is the default when not explicitly configured), xrdp accepts a client-supplied AlternateShell value and executes it via /bin/sh -c during session initialization. This results in shell-interpreted execution of unsanitized, user-controlled input. This behavior effectively provides a scriptable remote command execution primitive over RDP within the security context of the authenticated user, occurring prior to normal window manager startup. This can bypass expected session initialization flows and operational assumptions that restrict execution to interactive desktop environments. This issue has been fixed in version 0.10.6.
CVSS v3.1
Score 6.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
xrdp is an open source RDP server that, in versions through 0.10.5, improperly neutralizes special elements in the AlternateShell parameter, leading to OS command injection (CWE-78). When AllowAlternateShell is enabled, xrdp-sesman executes the client-supplied AlternateShell value unsafely via a shell command, allowing authenticated users to run arbitrary commands on the server. This execution happens during session initialization, prior to window manager startup, potentially bypassing session flow assumptions. The vulnerability is addressed in xrdp version 0.10.6.
Potential Impact
An authenticated remote user can execute arbitrary commands on the server with the privileges of the authenticated user. This can lead to unauthorized command execution and potential compromise of the server environment. The vulnerability affects confidentiality, integrity, and availability to a limited extent (CVSS 6.3, medium severity). No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade xrdp to version 0.10.6 or later, where this vulnerability is fixed. Since no official patch link or advisory is provided, verify the upgrade from the neutrinolabs official sources. Until upgraded, consider disabling the AllowAlternateShell setting to prevent exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-17T20:35:49.930Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e29a32bdfbbecc598cc5d7
Added to database: 4/17/2026, 8:38:10 PM
Last enriched: 4/25/2026, 2:39:17 AM
Last updated: 6/2/2026, 7:54:23 AM
Views: 50
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.