Security Bulletins

TV-2026-1003

Access control vulnerability in TeamViewer Full and Host clients

Bulletin ID
TV-2026-1003
Issue Date
Feb 5, 2026
Last Update
Feb 5, 2026
Priority
Important
CVSS
7.2 (High)
Assigned CVE
CVE-2026-23572
Affected Products
TeamViewer Remote
TeamViewer Tensor
TeamViewer One

1. Summary

A vulnerability has been discovered and fixed in the TeamViewer Full and Host clients, which allows an authenticated user to bypass additional access controls prior to confirmation of the counterparty.

2. Vulnerability details

CVE-ID

CVE-2026-23572

Description

Improper access control in the TeamViewer Full and Host clients (Windows, macOS, Linux) prior version 15.74.5 allows an authenticated user to bypass additional access controls with “Allow after confirmation” configuration in a remote session. An exploit could result in unauthorized access prior to local confirmation. The user needs to be authenticated for the remote session via ID/password, Session Link, or Easy Access as a prerequisite to exploit this vulnerability.

 

At this time, there is no indication that this vulnerability has been exploited in the wild.

 

The vulnerability has been fixed with version 15.74.5 and additional versions listed below. We recommend updating to the latest available version.

CVSS3.1 Score

Base Score 7.2 (High)

CVSS3.1 Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem type

CWE-284: Improper Access Control

3. Affected software and versions

Product
Versions
Info

TeamViewer Full Client (Windows)

< 15.74.5

Download available

TeamViewer Full Client (macOS)

< 15.74.5

Download available

TeamViewer Full Client (Linux)

< 15.74.5

Download available

TeamViewer Host (Windows)

< 15.74.5

Download available

TeamViewer Host (macOS)

< 15.74.5

Download available

TeamViewer Host (Linux)

< 15.74.5

Download available

4. Solutions and mitigations

Update to the latest client version (15.74.5 or the latest version available).

Optional mitigation: If an immediate update of the client is not possible and the use of additional access controls is required, the access control setting “Control this computer – Allow after Confirmation” can be set as mitigation. This prevents exploitation. The access controls can be configured in the Client Settings – “Advanced Options > Advanced Settings for connections to this computer” or via Policies “Access Control (incoming connections)”.

5. Acknowledgments

We would like to thank V.Z. & M.M. for the discovery and responsible disclosure.