CVE-2026-2490 - Vulnerability Details

- RustDesk Client for Windows Transfer File Link Following Information Disclosure Vulnerability

Description

RustDesk Client for Windows Transfer File Link Following Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of RustDesk Client for Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the Transfer File feature. By uploading a symbolic link, an attacker can abuse the service to read arbitrary files. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-27909.

Published: 2026-02-20

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A local attacker who can run low‑privileged code on a Windows system may upload a symbolic link via the Transfer File feature in RustDesk Client. The client processes the link and reads the target file, allowing disclosure of arbitrary files on the host. If the attacker subsequently gains SYSTEM privileges, highly privileged data may be exposed. The weakness is an OS path traversal, classified as CWE‑59.

Affected Systems

RustDesk Client for Windows is the affected product. The advisory does not list specific versions, indicating that all unpatched Windows client installations that allow symbolic‑link uploads are vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium risk level. EPSS is below 1 %, implying a low probability of exploitation in the current landscape. The vulnerability is not included in the CISA KEV catalog. An attacker must first achieve local code execution, limiting the attack surface to individuals with direct access to the machine. Once privilege is gained, arbitrary file reading can occur, potentially compromising sensitive information. The overall risk is moderate but contingent on the presence of local privileged access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

RustDesk

Client for Windows

unknown

Version	Status	Constraints
`1.4.1`	affected	—

No data.

Vendor Product Confidence Versions

Rustdesk

Client For Windows

100%

Version	Status	Scheme	Platform
`1.4.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Review and install the latest RustDesk Client for Windows update once the vendor releases a fix for the Transfer File symbolic‑link handling flaw.
If a patch is not yet available, disable the Transfer File feature or restrict its use to trusted users only to prevent symbolic‑link uploads.
Enforce least privilege on the local machine and configure the operating system to prevent unauthorized execution of symbolic links, ensuring users cannot run code that could exploit the flaw.

Generated by OpenCVE AI on April 18, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/rustdesk/rustdesk/pull/13736
https://www.zerodayinitiative.com/advisories/ZDI-26-117/

History

Tue, 24 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rustdesk Rustdesk client For Windows
Vendors & Products		Rustdesk Rustdesk client For Windows

Fri, 20 Feb 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		RustDesk Client for Windows Transfer File Link Following Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of RustDesk Client for Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Transfer File feature. By uploading a symbolic link, an attacker can abuse the service to read arbitrary files. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-27909.
Title		RustDesk Client for Windows Transfer File Link Following Information Disclosure Vulnerability
Weaknesses		CWE-59
References		https://github.com/rustdesk/rustdesk/pull/13736 https://www.zerodayinitiative.com/advisories/ZDI-26-117/
Metrics		cvssV3_0 `{'score': 5.5, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Rustdesk Client For Windows

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2026-02-20T22:24:43.064Z

Updated: 2026-02-24T15:16:07.584Z

Reserved: 2026-02-13T21:13:34.414Z

Link: CVE-2026-2490

Vulnrichment

Updated: 2026-02-24T15:16:02.686Z

NVD

Status : Deferred

Published: 2026-02-20T23:16:05.300

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2490

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T11:30:44Z

Weaknesses

CWE-59

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object