CVE-2026-23572 PUBLISHED

Improper Access Control in TeamViewer clients

Assigner: TV
Reserved: 14.01.2026 Published: 05.02.2026 Updated: 05.02.2026

Improper access control in the TeamViewer Full and Host clients (Windows, macOS, Linux) prior version 15.74.5 allows an authenticated user to bypass additional access controls with “Allow after confirmation” configuration in a remote session. An exploit could result in unauthorized access prior to local confirmation. The user needs to be authenticated for the remote session via ID/password, Session Link, or Easy Access as a prerequisite to exploit this vulnerability.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.2

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	TeamViewer
Product	Remote
Versions	Default: unaffected affected from 0 to 15.74.5 (excl.)

Vendor	TeamViewer
Product	Tensor
Versions	Default: unaffected affected from 0 to 15.74.5 (excl.)

Vendor	TeamViewer
Product	One
Versions	Default: unaffected affected from 0 to 15.74.5 (excl.)

Workarounds

If an immediate update of the client is not possible and the use of additional access controls is required, the access control setting “Control this computer – Allow after Confirmation” can be set as mitigation. This prevents exploitation. The access controls can be configured in the Client Settings – “Advanced Options > Advanced Settings for connections to this computer” or via Policies “Access Control (incoming connections)”.

Solutions

Update to the latest client version (15.74.5 or the latest version available).

References

https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1003/

Problem Types

CWE-863 Incorrect Authorization CWE

Impacts

CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels