Windows Junction Bypass Enables SYSTEM Privilege File Deletion (CVE-2026-33694)
CVE-2026-33694 Published on April 23, 2026
Junction File Manipulation
This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates arbitrary code execution, whereby an attacker may exploit the vulnerability to execute malicious code with elevated SYSTEM privileges.
Weakness Type
What is an insecure temporary file Vulnerability?
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CVE-2026-33694 has been classified to as an insecure temporary file vulnerability or weakness.
Products Associated with CVE-2026-33694
Want to know whenever a new CVE is published for Tenable Nessus? stack.watch will email you.
Affected Versions
Tenable, Inc. Tenable Nessus, Tenable Nessus Agent:- Version Nessus Agent, <= 11.1.2 is affected.
- Version Nessus, <= 10.11.3 is affected.