HIGH 8.4

CVE-2026-26422: clash-verge-service-ipc Local Privilege Escalation Vulnerability

A flaw in clash-verge-service-ipc versions prior to 2.3.0 exposes an inter-process communication endpoint that is accessible to any local user on the system. An attacker with local access can exploit this to escalate their privileges to a higher level, potentially gaining full control of the affected system. This is a local-only attack that does not require any special user privileges or interaction to trigger.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-732
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

clash-verge-service-ipc before 2.3.0 has a world-reachable IPC endpoint, leading to local privilege escalation.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-26422 stems from improper file or resource permission settings (CWE-732) in the IPC mechanism of clash-verge-service-ipc. The service exposes a world-reachable IPC endpoint without enforcing adequate access controls, allowing any unprivileged local process to communicate with and manipulate the service. This enables a local privilege escalation attack path where a low-privileged user can interact with the IPC interface to execute arbitrary operations with the service's elevated privileges. The vulnerability affects all versions before 2.3.0.

Business impact

Local privilege escalation vulnerabilities like this one pose a significant risk in environments where multiple users or processes operate on shared systems, including development machines, CI/CD agents, and shared cloud instances. An attacker who gains initial low-privilege access—via a compromised application, supply chain compromise, or insider access—can weaponize this flaw to obtain root or system-level privileges. This can lead to complete system compromise, lateral movement to other systems, data exfiltration, or deployment of persistent backdoors. Organizations using clash-verge-service-ipc in security-sensitive contexts should treat this as a high-priority remediation target.

Affected systems

Any deployment of clash-verge-service-ipc prior to version 2.3.0 is vulnerable. This includes development workstations, CI/CD pipeline agents, containerized environments, and production systems that rely on this component. The vulnerability requires local access to the affected machine to exploit, so risk is highest in multi-tenant or multi-user environments where privilege boundaries are important.

Exploitability

Exploitation is straightforward from a technical perspective: any local user or process can interact with the exposed IPC endpoint without authentication or privilege checks. No complex techniques, user interaction, or race conditions are required. The low attack complexity (AC:L) and lack of privilege requirements (PR:N) mean an attacker needs only to be present on the system to attempt exploitation. However, the attack is local-only (AV:L), so remote exploitation is not possible. The lack of current KEV status does not indicate a low threat—it reflects the vulnerability's relative newness or limited confirmed active exploitation at the time of data collection.

Remediation

Update clash-verge-service-ipc to version 2.3.0 or later, which remediates the IPC endpoint permissions issue. Verify the update against the official vendor advisory to confirm the exact patch version and any additional changes. Organizations unable to patch immediately should implement compensating controls: restrict local access to systems running vulnerable versions, isolate them from untrusted users or processes, and monitor IPC endpoint usage for suspicious activity.

Patch guidance

Upgrade clash-verge-service-ipc to 2.3.0 or newer. Check the official release notes and security advisory from the maintainers to confirm this version includes the privilege escalation fix and to identify any breaking changes or additional security improvements. Test the patch in a non-production environment before deploying widely. For containerized deployments, rebuild images with the patched version and redeploy. For systemd or other service-based installations, verify that service configurations are compatible with the new version.

Detection guidance

Monitor system logs for unexpected access to IPC sockets or endpoints associated with clash-verge-service-ipc. On Linux systems, inspect /var/run, /tmp, or other IPC locations for world-readable or world-writable socket files created by the service. Use tools like lsof or netstat to enumerate active IPC connections. Behavioral detection should flag privilege escalation events (process UID changes) following interaction with the IPC endpoint. Application-level logging from clash-verge-service-ipc itself—if available—may reveal unauthorized IPC method calls from unprivileged processes.

Why prioritize this

This vulnerability earns a HIGH severity rating (CVSS 8.4) due to its impact scope: it grants complete system compromise through local privilege escalation with no barriers to exploitation. While it requires local access, this is a realistic threat in shared computing environments and is often a follow-on objective in multi-stage attacks. Organizations should prioritize patching based on their exposure: systems with multiple local users, shared hosting environments, CI/CD agents, or systems adjacent to lateral movement paths warrant immediate attention. Even isolated production systems should be updated within standard change windows.

Risk score, explained

The CVSS 3.1 score of 8.4 reflects: Attack Vector (Local) = limited blast radius but applicable to common deployment scenarios; Attack Complexity (Low) = trivial exploitation; Privileges Required (None) and User Interaction (None) = no barriers to triggering the flaw; and Confidentiality, Integrity, Availability impacts (all High) = complete system takeover potential. This score correctly captures a high-impact local privilege escalation that is easy to exploit but requires prior local presence.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The attack vector is local-only (AV:L), meaning the attacker must already have access to the affected system. It cannot be exploited over a network without first compromising local access through another means.

What versions are affected?

All versions of clash-verge-service-ipc before 2.3.0 are vulnerable. Version 2.3.0 and later include the necessary access control fixes. Verify your installed version and upgrade accordingly.

What should I do if I cannot patch immediately?

Restrict local user access to systems running vulnerable versions. Implement file system permissions to prevent untrusted processes from reaching the IPC endpoints, isolate the service in containers or VMs with strict access controls, and monitor for suspicious IPC activity. These are temporary mitigations only; patching remains the proper fix.

Is this vulnerability being actively exploited in the wild?

As of the data collection date, this vulnerability was not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the absence of KEV status does not indicate low risk—it reflects the vulnerability's relative newness. Always assume that local privilege escalation flaws will eventually be weaponized if not patched promptly.

This analysis is provided for informational purposes and represents a point-in-time assessment based on publicly available vulnerability data. SEC.co does not provide legal, compliance, or business advice. Organizations must conduct their own risk assessments and testing before deploying patches. Vendor advisories and official security announcements are the authoritative source for remediation details, affected version lists, and patch availability. This document does not constitute a recommendation to deploy any specific patch or remediation. Test all updates in non-production environments first. Security teams should monitor vendor communications and security feeds for updated information on this and related vulnerabilities. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).