Description
Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding.

This issue affects RustDesk Server: through 1.7.5, through 1.1.15.
Published: 2026-03-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access and Privilege Abuse
Action: Patch Update
AI Analysis

Impact

Missing authentication and authorization checks in the hbbs (rendezvous) and hbbr (relay) modules of RustDesk Server allow attackers to connect to the broker services without credentials, enabling privilege abuse. The vulnerability is located in functions that handle punch–hole requests and peer registration, potentially allowing an unauthenticated user to interfere with session establishment or routing. This can compromise confidentiality and availability of remote sessions and may provide a foothold for further exploitation. Based on the description, it is inferred that attackers would need to establish a network connection to the hbbs/hbbr broker services, likely via the default listening ports (21116 for hbbs and 21117 for hbbr).

Affected Systems

The flaw is present in all RustDesk Server releases up to and including version 1.7.5 and 1.1.15. Both the OSS and Pro variants, running on any supported operating system, are affected. The vulnerable components are the rendezvous (hbbs) and relay (hbbr) servers listening on ports 21116 and 21117.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating high severity, and an EPSS score below 1 %, meaning low but nonzero exploitation probability. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would require network access to the broker services; once connected, they could perform privileged operations by bypassing authentication. The vulnerability is related to CWE‑306 and CWE‑862.

Generated by OpenCVE AI on April 17, 2026 at 12:43 UTC.

Remediation

Vendor Solution

Implement Signed Session Authorization Tokens validated by hbbs and hbbr

Vendor Workaround

Restrict network access to hbbs/hbbr ports (21116, 21117) via firewall. Use strong passwords.

OpenCVE Recommended Actions

  • Install the latest RustDesk Server release that includes signed session authorization token validation for hbbs and hbbr.
  • If an update is unavailable, block external traffic to ports 21116 and 21117 using a firewall, and limit connections to trusted networks.
  • Configure strong, unique passwords for any administrative interfaces and monitor server logs for suspicious connection attempts.

Generated by OpenCVE AI on April 17, 2026 at 12:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Rustdesk
Rustdesk rustdesk Server
CPEs cpe:2.3:a:rustdesk:rustdesk_server:*:*:*:*:oss:*:*:*
cpe:2.3:a:rustdesk:rustdesk_server:*:*:*:*:pro:*:*:*
Vendors & Products Rustdesk
Rustdesk rustdesk Server
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Rustdesk-server
Rustdesk-server rustdesk Server
Rustdesk-server rustdesk Server Pro
Vendors & Products Rustdesk-server
Rustdesk-server rustdesk Server
Rustdesk-server rustdesk Server Pro

Fri, 06 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding. This issue affects RustDesk Server: through 1.7.5, through 1.1.15.
Title RustDesk hbbs/hbbr Servers Broker Connections Without Any Authorization Check
Weaknesses CWE-306
CWE-862
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Rustdesk Rustdesk Server
Rustdesk-server Rustdesk Server Rustdesk Server Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-03-06T10:29:25.085Z

Reserved: 2026-03-05T14:13:35.407Z

Link: CVE-2026-30784

cve-icon Vulnrichment

Updated: 2026-03-06T10:29:20.294Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:19.110

Modified: 2026-03-25T16:19:56.530

Link: CVE-2026-30784

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses