Description
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_mediator.Rs, src/hbbs_http/sync.Rs and program routines API sync loop, api-server config handling.

This issue affects RustDesk Client: through 1.4.5.
Published: 2026-03-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Abuse that bypasses admin commands and ACL policies
Action: Apply Patch
AI Analysis

Impact

A flaw in RustDesk Client’s API sync loop and configuration handling allows an attacker to orphan an API channel, effectively ignoring all administrative commands and ACL policies sent from the server. This flaw enables privilege abuse by letting a compromised client bypass server‑enforced restrictions and carry out actions that would normally require higher privileges. The weakness is tied to the CWE-602 (Insecure Design) and CWE-841 (Unauthorized Modification of Permissions).

Affected Systems

The vulnerability impacts RustDesk Client on Windows, macOS, Linux, iOS, Android, and WebClient platforms. All installations through version 1.4.5 are affected, regardless of the underlying operating system (including the various OS CPEs listed).

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, but the EPSS score of less than 1% reflects a very low exploitation probability at the time of analysis. The vulnerability is not currently listed in the CISA KEV catalog. Likely exploitation would occur via a remote attacker who gains control of a RustDesk session or injects a malicious API command, then initiates an orphaned channel that ignores server‑side controls. No publicly available exploit code is noted, so the practical risk hinges on the attack vector being remote and the attacker having the ability to send commands through the client.

Generated by OpenCVE AI on April 16, 2026 at 12:20 UTC.

Remediation

Vendor Solution

Move enforcement to server side. Require Signed Session Authorization Tokens.

Vendor Workaround

Restrict physical/remote access to RustDesk config files

OpenCVE Recommended Actions

  • Upgrade RustDesk Client to the latest release that includes server‑side enforcement and signed session authorization tokens.
  • Configure the server to enforce ACL policies and other restrictions so that unsigned or orphaned API channels are rejected.
  • Restrict physical and remote access to RustDesk configuration files on all client machines, applying strict file‑system permissions to prevent unauthorized modifications.

Generated by OpenCVE AI on April 16, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
CPEs cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_mediator.Rs, src/hbbs_http/sync.Rs and program routines API sync loop, api-server config handling. This issue affects RustDesk Client: through 1.4.5.
Title RustDesk Client Can Orphan API Channel to Ignore All Admin Commands and ACL Policies
First Time appeared Rustdesk-client
Rustdesk-client rustdesk Client
Weaknesses CWE-602
CWE-841
CPEs cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:webclient:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-client
Rustdesk-client rustdesk Client
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Apple Iphone Os Macos
Google Android
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk
Rustdesk-client Rustdesk Client
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-03-06T10:27:23.721Z

Reserved: 2026-03-05T14:13:35.407Z

Link: CVE-2026-30783

cve-icon Vulnrichment

Updated: 2026-03-06T10:27:13.108Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:18.910

Modified: 2026-03-25T16:30:01.837

Link: CVE-2026-30783

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:30:06Z

Weaknesses