{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30784", "assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "state": "PUBLISHED", "assignerShortName": "VULSec", "dateReserved": "2026-03-05T14:13:35.407Z", "datePublished": "2026-03-05T15:58:46.790Z", "dateUpdated": "2026-03-06T10:29:25.085Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/rustdesk/", "defaultStatus": "affected", "modules": ["Rendezvous server (hbbs)", "relay server (hbbr)"], "packageName": "rustdesk-server, rustdesk-server-pro", "platforms": ["hbbs/hbbr on all server platforms"], "product": "RustDesk Server", "programFiles": ["src/rendezvous_server.rs", "src/relay_server.rs"], "programRoutines": [{"name": "handle_punch_hole_request()"}, {"name": "RegisterPeer handler"}, {"name": "relay forwarding"}], "repo": "https://github.com/rustdesk/rustdesk-server", "vendor": "rustdesk-server", "versions": [{"changes": [{"at": "Server Pro", "status": "affected"}], "lessThanOrEqual": "1.7.5", "status": "affected", "version": "0", "versionType": "custom"}, {"changes": [{"at": "Server OSS", "status": "affected"}], "lessThanOrEqual": "1.1.15", "status": "affected", "version": "0", "versionType": "custom"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Default \u2014 any hbbs/hbbr deployment (OSS or Pro)"}], "value": "Default \u2014 any hbbs/hbbr deployment (OSS or Pro)"}], "credits": [{"lang": "en", "type": "finder", "value": "Erez Kalman"}, {"lang": "en", "type": "reporter", "value": "Erez Kalman"}], "datePublic": "2026-03-05T13:45:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse.<p> This vulnerability is associated with program files <tt>src/rendezvous_server.Rs</tt>, <tt>src/relay_server.Rs</tt> and program routines <tt>handle_punch_hole_request()</tt>, <tt>RegisterPeer handler</tt>, <tt>relay forwarding</tt>.</p><p>This issue affects RustDesk Server: through 1.7.5, through 1.1.15.</p>"}], "value": "Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding.\n\nThis issue affects RustDesk Server: through 1.7.5, through 1.1.15."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "PoC available.<br>"}], "value": "PoC available."}], "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122 Privilege Abuse"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "shortName": "VULSec", "dateUpdated": "2026-03-05T17:03:15.491Z"}, "references": [{"tags": ["technical-description", "product"], "url": "https://rustdesk.com/docs/en/self-host/"}, {"tags": ["third-party-advisory", "exploit"], "url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"}, {"tags": ["vdb-entry", "third-party-advisory"], "url": "https://www.vulsec.org/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Implement Signed Session Authorization Tokens validated by hbbs and hbbr"}], "value": "Implement Signed Session Authorization Tokens validated by hbbs and hbbr"}], "source": {"discovery": "UNKNOWN"}, "title": "RustDesk hbbs/hbbr Servers Broker Connections Without Any Authorization Check", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Restrict network access to hbbs/hbbr ports (21116, 21117) via firewall. Use strong passwords."}], "value": "Restrict network access to hbbs/hbbr ports (21116, 21117) via firewall. Use strong passwords."}], "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T10:28:27.311766Z", "id": "CVE-2026-30784", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T10:29:25.085Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30784", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T10:28:27.311766Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T10:29:20.294Z"}}], "cna": {"title": "RustDesk hbbs/hbbr Servers Broker Connections Without Any Authorization Check", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Erez Kalman"}, {"lang": "en", "type": "reporter", "value": "Erez Kalman"}], "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122 Privilege Abuse"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/rustdesk/rustdesk-server", "vendor": "rustdesk-server", "modules": ["Rendezvous server (hbbs)", "relay server (hbbr)"], "product": "RustDesk Server", "versions": [{"status": "affected", "changes": [{"at": "Server Pro", "status": "affected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.7.5"}, {"status": "affected", "changes": [{"at": "Server OSS", "status": "affected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1.15"}], "platforms": ["hbbs/hbbr on all server platforms"], "packageName": "rustdesk-server, rustdesk-server-pro", "programFiles": ["src/rendezvous_server.rs", "src/relay_server.rs"], "collectionURL": "https://github.com/rustdesk/", "defaultStatus": "affected", "programRoutines": [{"name": "handle_punch_hole_request()"}, {"name": "RegisterPeer handler"}, {"name": "relay forwarding"}]}], "exploits": [{"lang": "en", "value": "PoC available.", "supportingMedia": [{"type": "text/html", "value": "PoC available.<br>", "base64": false}]}], "solutions": [{"lang": "en", "value": "Implement Signed Session Authorization Tokens validated by hbbs and hbbr", "supportingMedia": [{"type": "text/html", "value": "Implement Signed Session Authorization Tokens validated by hbbs and hbbr", "base64": false}]}], "datePublic": "2026-03-05T13:45:00.000Z", "references": [{"url": "https://rustdesk.com/docs/en/self-host/", "tags": ["technical-description", "product"]}, {"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub", "tags": ["third-party-advisory", "exploit"]}, {"url": "https://www.vulsec.org/", "tags": ["vdb-entry", "third-party-advisory"]}], "workarounds": [{"lang": "en", "value": "Restrict network access to hbbs/hbbr ports (21116, 21117) via firewall. Use strong passwords.", "supportingMedia": [{"type": "text/html", "value": "Restrict network access to hbbs/hbbr ports (21116, 21117) via firewall. Use strong passwords.", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding.\n\nThis issue affects RustDesk Server: through 1.7.5, through 1.1.15.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse.<p> This vulnerability is associated with program files <tt>src/rendezvous_server.Rs</tt>, <tt>src/relay_server.Rs</tt> and program routines <tt>handle_punch_hole_request()</tt>, <tt>RegisterPeer handler</tt>, <tt>relay forwarding</tt>.</p><p>This issue affects RustDesk Server: through 1.7.5, through 1.1.15.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "configurations": [{"lang": "en", "value": "Default \u2014 any hbbs/hbbr deployment (OSS or Pro)", "supportingMedia": [{"type": "text/html", "value": "Default \u2014 any hbbs/hbbr deployment (OSS or Pro)", "base64": false}]}], "providerMetadata": {"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "shortName": "VULSec", "dateUpdated": "2026-03-05T17:03:15.491Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30784", "state": "PUBLISHED", "dateUpdated": "2026-03-06T10:29:25.085Z", "dateReserved": "2026-03-05T14:13:35.407Z", "assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "datePublished": "2026-03-05T15:58:46.790Z", "assignerShortName": "VULSec"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rustdesk:rustdesk_server:*:*:*:*:oss:*:*:*", "matchCriteriaId": "4EEF792E-C412-4ECD-A2A2-5506601F4404", "versionEndIncluding": "1.1.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustdesk:rustdesk_server:*:*:*:*:pro:*:*:*", "matchCriteriaId": "4F6E21F9-385D-4DB4-9CD4-EDB43561D9E5", "versionEndIncluding": "1.7.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding.\n\nThis issue affects RustDesk Server: through 1.7.5, through 1.1.15."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante, Autenticaci\u00f3n Faltante para Funci\u00f3n Cr\u00edtica en rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro en hbbs/hbbr en todas las plataformas de servidor (m\u00f3dulos de servidor Rendezvous (hbbs), servidor de retransmisi\u00f3n (hbbr)) permite el Abuso de Privilegios. Esta vulnerabilidad est\u00e1 asociada con los archivos de programa src/rendezvous_server.Rs, src/relay_server.Rs y las rutinas de programa handle_punch_hole_request(), el gestor RegisterPeer, el reenv\u00edo de retransmisi\u00f3n.\n\nEste problema afecta a RustDesk Server: hasta 1.7.5, hasta 1.1.15."}], "id": "CVE-2026-30784", "lastModified": "2026-03-25T16:19:56.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "type": "Secondary"}]}, "published": "2026-03-05T16:16:19.110", "references": [{"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "tags": ["Exploit", "Third Party Advisory"], "url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"}, {"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "tags": ["Product", "Vendor Advisory"], "url": "https://rustdesk.com/docs/en/self-host/"}, {"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "tags": ["Not Applicable"], "url": "https://www.vulsec.org/"}], "sourceIdentifier": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-862"}], "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["hbbs/hbbr on all server platforms"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.15]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "rustdesk_server", "vendor": "rustdesk-server"}, {"configurations": [{"platform": ["hbbs/hbbr_on_all_server_platforms"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "RustDesk Server", "source": "cna", "vendor": "rustdesk-server"}, "product": "rustdesk_server_pro", "vendor": "rustdesk-server"}], "created": "2026-03-06T15:01:41.849683+00:00", "updated": "2026-03-06T15:01:41.849772+00:00", "vendors": ["rustdesk-server", "rustdesk-server$PRODUCT$rustdesk_server", "rustdesk-server$PRODUCT$rustdesk_server_pro"]}