I just saw the urgent announcement about the security issue that has been found on Thinlinc servers on 04-08-2026:
Because that post does not allow replies, I am creating this thread here. I do thank ThinLinc for promptly letting us know about the issue, but because a patch is expected only 14 days from now, I am afraid we need more information than what was provided. For example:
what does “allows any user to impersonate any other user” mean exactly? Would the impersonator need to know the real user’s password or can they do so without that?
does that affect the security of our servers in what regards non-users? That is, can attackers that are not at all registered as users have access to our servers in any way due to this issue?
are there any measures that we can take in the meanwhile to mitigate risks?
The issue relates to existing, authenticated users. So it is only users who are already able to authenticate successfully who would be able to impersonate others.
Unfortunately, in the interests of responsible disclosure, we’re unable to divulge much more information at present. The fix will be provided as a point release, so we wanted to give enough notice for people to schedule in a maintenance window for the upgrade.
Okay, so that sounds like “if I trust my current users and their client machines have not been compromised (no credentials or 2FA tokens leaked), I have nothing to fear at the moment”?
Okay, so that sounds like “if I trust my current users and their client machines have not been compromised (no credentials or 2FA tokens leaked), I have nothing to fear at the moment”?