Description
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle.

This vulnerability is associated with program files src/hbbs_http/sync.Rs, hbb_common/src/config.Rs and program routines Strategy merge loop in sync.Rs, Config::set_options().



This issue affects RustDesk Client: through 1.4.8.
Published: 2026-03-05
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in RustDesk Client permits the manipulation of application API messages via a Man‑in‑the‑Middle attack, enabling an attacker to inject strategy payloads that are blindly merged into the client’s configuration during synchronization. Because no authentication checks are performed, these payloads can modify security settings, bypassing local security controls and potentially granting the attacker elevated privileges or persistent control over the client environment.

Affected Systems

All versions of the RustDesk Client up to and including 1.4.8 on Windows, macOS, Linux, iOS, Android, and the WebClient are affected. The weakness resides in the client’s configuration engine, specifically the strategy merge loop and the Config::set_options function.

Risk and Exploitability

Based on the updated description, the likely attack vector involves a Man‑in‑the‑Middle intercepting unsecured API messages to inject strategy payloads that are blindly merged during configuration synchronization. The exploitation occurs through an unauthenticated API message manipulation channel, enabling the attacker to alter or replace configuration options. This bypasses local security settings and can potentially grant the attacker elevated privileges or persistent control over the client environment. The vulnerability carries a CVSS score of 8.3, indicating high severity. The EPSS score is below 1 %, suggesting a low but non‑zero probability of public exploitation, and the issue is not listed in the CISA KEV catalog. Once an unauthenticated strategy payload is merged, the attacker can change security‑related settings, effectively elevating privileges or establishing a foothold. Because no effective workaround exists, immediate mitigation through an upgrade or proper runtime checks is essential.

Generated by OpenCVE AI on June 22, 2026 at 11:52 UTC.

Remediation

Vendor Solution

Enforce runtime toggle checks. Implement payload signing with server private key.


Vendor Workaround

None effective — allow-remote-config-modification toggle is ignored


OpenCVE Recommended Actions

  • Apply vendor‑supplied fix by updating the RustDesk Client to the latest patched version that includes runtime toggle enforcement and payload signing.
  • Configure the client to enforce runtime toggle checks for the allow‑remote‑config‑modification setting.
  • Implement or enable signing of strategy payloads using a server‑side private key and verify signatures on the client before merging.

Generated by OpenCVE AI on June 22, 2026 at 11:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files src/hbbs_http/sync.Rs, hbb_common/src/config.Rs and program routines Strategy merge loop in sync.Rs, Config::set_options(). This issue affects RustDesk Client: through 1.4.5. A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files src/hbbs_http/sync.Rs, hbb_common/src/config.Rs and program routines Strategy merge loop in sync.Rs, Config::set_options(). This issue affects RustDesk Client: through 1.4.8.
Weaknesses CWE-345
CPEs cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:webclient:*:*:*:*:*
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N'}


Wed, 25 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
CPEs cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 06 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 05 Mar 2026 18:15:00 +0000


Thu, 05 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files src/hbbs_http/sync.Rs, hbb_common/src/config.Rs and program routines Strategy merge loop in sync.Rs, Config::set_options(). This issue affects RustDesk Client: through 1.4.5.
Title RustDesk Client Blindly Merges Unauthenticated Strategy Payloads, Bypassing Local Security Settings
First Time appeared Rustdesk-client
Rustdesk-client rustdesk Client
Weaknesses CWE-657
CPEs cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-client
Rustdesk-client rustdesk Client
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Apple Iphone Os Macos
Google Android
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk
Rustdesk-client Rustdesk Client
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-06-22T13:17:04.057Z

Reserved: 2026-03-05T14:13:37.203Z

Link: CVE-2026-30792

cve-icon Vulnrichment

Updated: 2026-03-06T10:25:11.898Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:19.840

Modified: 2026-06-17T10:32:55.553

Link: CVE-2026-30792

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T12:00:05Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity

  • CWE-657

    Violation of Secure Design Principles