This page lists all security vulnerabilities fixed in released versions of Apache Guacamole. Each vulnerability is listed with a description of the problem, its associated CVE number, and the Guacamole release in which the vulnerability was fixed.

Reporting new vulnerabilities

If you believe you have discovered a security problem in Apache Guacamole, please follow responsible disclosure practices and report discovered security issues privately, either to the private security mailing list of the ASF Security Team or the security@guacamole.apache.org mailing list, before disclosing or discussing the issue in a public forum.

Vulnerabilities in dependencies

Is Apache Guacamole affected by CVE-2023-5129?

No. CVE-2023-5129 (aka CVE-2023-4863) deals specifically with decoding WebP images, not encoding.

You would also receive updates to libwebp from your distribution as the library itself is not bundled within Guacamole. If using our Docker images, the images are automatically rebuilt nightly to bring in updates from the maintainer of the base image (Alpine Linux), and a pull of the latest would give you an updated image.

Is Apache Guacamole affected by CVE-2021-44228?

No, CVE-2021-44228 does not affect Apache Guacamole. Guacamole uses Logback as its logging backend, not Log4j.

Is Apache Guacamole affected by AngularJS vulnerabilities?

No. We routinely check for known vulnerabilities in AngularJS and manually verify that Guacamole is not impacted by each.

Table of vulnerabilities and corresponding analyses

CVE ID	Analysis
CVE-2022-25844	This is a potential regular expression denial of service in AngularJS’ handling of locale rules. This cannot affect Guacamole, which does not construct locale rules with untrusted data.
CVE-2022-25869	This vulnerability is specific to Internet Explorer and its potentially insecure caching of <textarea> element contents. This cannot affect Guacamole, which does not load <textarea> elements in a way that Internet Explorer is capable of caching.
CVE-2023-26116	This is a potential regular expression denial of service in AngularJS’ angular.copy() utility function. This cannot affect Guacamole, which does not pass untrusted data to this function.
CVE-2023-26117	This is a potential regular expression denial of service in AngularJS’ $resource service. This cannot affect Guacamole, which does not make use of the $resource service, let alone pass untrusted data to it.
CVE-2023-26118	This is a potential regular expression denial of service in AngularJS’ handling of <input type="url"> elements. This cannot affect Guacamole, which does not use these elements.
CVE-2024-21490	This is a potential regular expression denial of service in AngularJS’ ng-srcset directive. This cannot affect Guacamole which does not use this directive, let alone pass untrusted data to it.
CVE-2024-8372	This is a potential bypass of AngularJS’ image source restriction capabilities specific to the srcset attribute. This cannot affect Guacamole, which does not rely on AngularJS to restrict image sources.
CVE-2024-8373	This is a potential bypass of AngularJS’ image source restriction capabilities specific to the srcset attribute of <source> elements. This cannot affect Guacamole, which does not rely on AngularJS to restrict image sources.
CVE-2025-0716	This is a potential bypass of AngularJS’ image source restriction capabilities specific to the href and xlink:href attributes of <image> tags within SVG content. This cannot affect Guacamole, which does not rely on AngularJS to restrict image sources.

If you believe a new vulnerability in AngularJS may require specific remediation within Guacamole, please reach out to us by sending an email to security@guacamole.apache.org and we will investigate promptly. If a potential vulnerability in AngularJS does need to be addressed, we will work with you to issue a release of Guacamole that addresses it.

Releases of Guacamole 1.x will continue to use AngularJS for compatibility, while Guacamole 2.0.0 onward is planned to use Angular (the TypeScript-based framework that supersedes AngularJS).

Fixed in Apache Guacamole 1.6.0

• CVE-2024-35164: Improper input validation of console codes

  The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed with the privileges of the running guacd process.

  Acknowledgements: We would like to thank Tizian Seehaus (Tibotix) for reporting this issue.

Fixed in Apache Guacamole 1.5.4

• CVE-2023-43826: Integer overflow in handling of VNC image buffers

  Apache Guacamole 1.5.3 and older do not consistently ensure that values received from a VNC server will not result in integer overflow. If a user connects to a malicious or compromised VNC server, specially crafted data could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.

  Acknowledgements: We would like to thank Joseph Surin (Elttam) and Matt Jones (Elttam) for reporting this issue.

Fixed in Apache Guacamole 1.5.2

• CVE-2023-30575: Incorrect calculation of Guacamole protocol element lengths

  Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths of instruction elements sent during the Guacamole protocol handshake, potentially allowing an attacker to inject Guacamole instructions during the handshake through specially-crafted data.

  Acknowledgements: We would like to thank Stefan Schiller (Sonar) for reporting this issue.

• CVE-2023-30576: Use-after-free in handling of RDP audio input buffer

  Apache Guacamole 0.9.10 through 1.5.1 may continue to reference a freed RDP audio input buffer. Depending on timing, this may allow an attacker to execute arbitrary code with the privileges of the guacd process.

  Acknowledgements: We would like to thank Stefan Schiller (Sonar) for reporting this issue.

Fixed in Apache Guacamole 1.4.0

• CVE-2021-43999: Improper validation of SAML responses

  Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user.

  Acknowledgements: We would like to thank Finn Steglich (ETAS) for reporting this issue.

• CVE-2021-41767: Private tunnel identifier may be included in the non-private details of active connections

  Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user’s active use of that same connection.

  Acknowledgements: We would like to thank Damian Velardo (Australia and New Zealand Banking Group) for reporting this issue.

Fixed in Apache Guacamole 1.3.0

• CVE-2020-11997: Inconsistent restriction of connection history visibility

  Apache Guacamole 1.2.0 and older do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users.

  Acknowledgements: We would like to thank William Le Berre (Synetis) for reporting this issue.

Fixed in Apache Guacamole 1.2.0

• CVE-2020-9498: Dangling pointer in RDP static virtual channel handling

  Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.

  Acknowledgements: We would like to thank Eyal Itkin (Check Point Research) for reporting this issue.

• CVE-2020-9497: Improper input validation of RDP static virtual channels

  Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection.

  Acknowledgements: We would like to thank GitHub Security Lab and Eyal Itkin (Check Point Research) for reporting this issue.

Fixed in Apache Guacamole 1.0.0

• CVE-2018-1340: Secure flag missing from session cookie

  Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user’s session token. This cookie lacked the “secure” flag, which could allow an attacker eavesdropping on the network to intercept the user’s session token if unencrypted HTTP requests are made to the same domain.

  Acknowledgements: We would like to thank Ross Golder for reporting this issue.

Fixed in Guacamole 0.9.9 (pre-Apache release)

• CVE-2016-1566: Stored cross-site scripting (XSS) in file browser

  A cross-site scripting (XSS) vulnerability was discovered through which files with specially-crafted filenames could lead to JavaScript execution if file transfer is enabled to a location which is shared by multiple users, and the filename is displayed within the file browser located within the Guacamole menu.

  Acknowledgements: We would like to thank Niv Levy for reporting this issue.

Fixed in Guacamole 0.6.3 (pre-Apache release)

• CVE-2012-4415: Buffer overflow in guac_client_plugin_open()

  A stack-based buffer overflow vulnerability was discovered in the guac_client_plugin_open() function in libguac in Guacamole before 0.6.3 which could allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a long protocol name.

  Acknowledgements: We would like to thank Timo Juhani Lindfors for reporting this issue.