{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30783", "assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "state": "PUBLISHED", "assignerShortName": "VULSec", "dateReserved": "2026-03-05T14:13:35.407Z", "datePublished": "2026-03-05T15:52:21.992Z", "dateUpdated": "2026-03-06T10:27:23.721Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/rustdesk/rustdesk/releases", "defaultStatus": "affected", "modules": ["Client signaling", "API sync loop", "config management"], "packageName": "rustdesk-client", "platforms": ["Windows", "MacOS", "Linux", "iOS", "Android", "WebClient"], "product": "RustDesk Client", "programFiles": ["src/rendezvous_mediator.rs", "src/hbbs_http/sync.rs"], "programRoutines": [{"name": "API sync loop"}, {"name": "api-server config handling"}], "repo": "https://github.com/rustdesk/rustdesk,https://github.com/rustdesk/hbb_common", "vendor": "rustdesk-client", "versions": [{"lessThanOrEqual": "1.4.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Default \u2014 any client deployment (OSS or Pro)"}], "value": "Default \u2014 any client deployment (OSS or Pro)"}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:webclient:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Erez Kalman"}, {"lang": "en", "type": "reporter", "value": "Erez Kalman"}], "datePublic": "2026-03-05T13:45:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse.<p> This vulnerability is associated with program files <tt>src/rendezvous_mediator.Rs</tt>, <tt>src/hbbs_http/sync.Rs</tt> and program routines <tt>API sync loop</tt>, <tt>api-server config handling</tt>.</p><p>This issue affects RustDesk Client: through 1.4.5.</p>"}], "value": "A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_mediator.Rs, src/hbbs_http/sync.Rs and program routines API sync loop, api-server config handling.\n\nThis issue affects RustDesk Client: through 1.4.5."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "PoC available. Trivially exploitable.<br>"}], "value": "PoC available. Trivially exploitable."}], "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122 Privilege Abuse"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-602", "description": "CWE-602", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-841", "description": "CWE-841", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "shortName": "VULSec", "dateUpdated": "2026-03-05T17:01:18.317Z"}, "references": [{"tags": ["technical-description", "x_--config documentation"], "url": "https://rustdesk.com/docs/en/client/"}, {"tags": ["third-party-advisory", "exploit"], "url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"}, {"tags": ["vdb-entry", "third-party-advisory"], "url": "https://www.vulsec.org/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Move enforcement to server side. Require Signed Session Authorization Tokens."}], "value": "Move enforcement to server side. Require Signed Session Authorization Tokens."}], "source": {"discovery": "UNKNOWN"}, "title": "RustDesk Client Can Orphan API Channel to Ignore All Admin Commands and ACL Policies", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Restrict physical/remote access to RustDesk config files"}], "value": "Restrict physical/remote access to RustDesk config files"}], "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T10:26:06.050744Z", "id": "CVE-2026-30783", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T10:27:23.721Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30783", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T10:26:06.050744Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T10:27:13.108Z"}}], "cna": {"title": "RustDesk Client Can Orphan API Channel to Ignore All Admin Commands and ACL Policies", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Erez Kalman"}, {"lang": "en", "type": "reporter", "value": "Erez Kalman"}], "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122 Privilege Abuse"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/rustdesk/rustdesk,https://github.com/rustdesk/hbb_common", "vendor": "rustdesk-client", "modules": ["Client signaling", "API sync loop", "config management"], "product": "RustDesk Client", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.4.5"}], "platforms": ["Windows", "MacOS", "Linux", "iOS", "Android", "WebClient"], "packageName": "rustdesk-client", "programFiles": ["src/rendezvous_mediator.rs", "src/hbbs_http/sync.rs"], "collectionURL": "https://github.com/rustdesk/rustdesk/releases", "defaultStatus": "affected", "programRoutines": [{"name": "API sync loop"}, {"name": "api-server config handling"}]}], "exploits": [{"lang": "en", "value": "PoC available. Trivially exploitable.", "supportingMedia": [{"type": "text/html", "value": "PoC available. Trivially exploitable.<br>", "base64": false}]}], "solutions": [{"lang": "en", "value": "Move enforcement to server side. Require Signed Session Authorization Tokens.", "supportingMedia": [{"type": "text/html", "value": "Move enforcement to server side. Require Signed Session Authorization Tokens.", "base64": false}]}], "datePublic": "2026-03-05T13:45:00.000Z", "references": [{"url": "https://rustdesk.com/docs/en/client/", "tags": ["technical-description", "x_--config documentation"]}, {"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub", "tags": ["third-party-advisory", "exploit"]}, {"url": "https://www.vulsec.org/", "tags": ["vdb-entry", "third-party-advisory"]}], "workarounds": [{"lang": "en", "value": "Restrict physical/remote access to RustDesk config files", "supportingMedia": [{"type": "text/html", "value": "Restrict physical/remote access to RustDesk config files", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_mediator.Rs, src/hbbs_http/sync.Rs and program routines API sync loop, api-server config handling.\n\nThis issue affects RustDesk Client: through 1.4.5.", "supportingMedia": [{"type": "text/html", "value": "A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse.<p> This vulnerability is associated with program files <tt>src/rendezvous_mediator.Rs</tt>, <tt>src/hbbs_http/sync.Rs</tt> and program routines <tt>API sync loop</tt>, <tt>api-server config handling</tt>.</p><p>This issue affects RustDesk Client: through 1.4.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-602", "description": "CWE-602"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-841", "description": "CWE-841"}]}], "configurations": [{"lang": "en", "value": "Default \u2014 any client deployment (OSS or Pro)", "supportingMedia": [{"type": "text/html", "value": "Default \u2014 any client deployment (OSS or Pro)", "base64": false}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:webclient:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "shortName": "VULSec", "dateUpdated": "2026-03-05T17:01:18.317Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30783", "state": "PUBLISHED", "dateUpdated": "2026-03-06T10:27:23.721Z", "dateReserved": "2026-03-05T14:13:35.407Z", "assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "datePublished": "2026-03-05T15:52:21.992Z", "assignerShortName": "VULSec"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*", "matchCriteriaId": "14986BCF-B589-41F2-913D-2800283B452B", "versionEndIncluding": "1.4.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*", "matchCriteriaId": "B5415705-33E5-46D5-8E4D-9EBADC8C5705", "vulnerable": false}, {"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_mediator.Rs, src/hbbs_http/sync.Rs and program routines API sync loop, api-server config handling.\n\nThis issue affects RustDesk Client: through 1.4.5."}, {"lang": "es", "value": "Una vulnerabilidad en rustdesk-client RustDesk Client rustdesk-client en Windows, MacOS, Linux, iOS, Android, WebClient (se\u00f1alizaci\u00f3n del cliente, bucle de sincronizaci\u00f3n de la API, m\u00f3dulos de gesti\u00f3n de configuraci\u00f3n) permite el abuso de privilegios. Esta vulnerabilidad est\u00e1 asociada con los archivos de programa src/rendezvous_mediator.Rs, src/hbbs_http/sync.Rs y las rutinas del programa bucle de sincronizaci\u00f3n de la API, manejo de la configuraci\u00f3n del servidor API.\n\nEste problema afecta a RustDesk Client: hasta la versi\u00f3n 1.4.5."}], "id": "CVE-2026-30783", "lastModified": "2026-03-25T16:30:01.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "type": "Secondary"}]}, "published": "2026-03-05T16:16:18.910", "references": [{"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "tags": ["Exploit", "Third Party Advisory"], "url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"}, {"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "tags": ["Product"], "url": "https://rustdesk.com/docs/en/client/"}, {"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "tags": ["Third Party Advisory"], "url": "https://www.vulsec.org/"}], "sourceIdentifier": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-602"}, {"lang": "en", "value": "CWE-841"}], "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows", "macos", "linux", "ios", "android", "webclient"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.5]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "RustDesk Client", "source": "cna", "vendor": "rustdesk-client"}, "product": "rustdesk_client", "vendor": "rustdesk-client"}], "created": "2026-03-06T15:01:42.703712+00:00", "updated": "2026-03-06T15:01:42.703800+00:00", "vendors": ["rustdesk-client", "rustdesk-client$PRODUCT$rustdesk_client"]}