{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30792", "assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "state": "PUBLISHED", "assignerShortName": "VULSec", "dateReserved": "2026-03-05T14:13:37.203Z", "datePublished": "2026-03-05T15:14:43.719Z", "dateUpdated": "2026-03-06T10:25:16.901Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/rustdesk/rustdesk/releases", "defaultStatus": "affected", "modules": ["Strategy sync", "HTTP API client", "config options engine"], "packageName": "rustdesk-client", "platforms": ["Windows", "MacOS", "Linux", "iOS", "Android"], "product": "RustDesk Client", "programFiles": ["src/hbbs_http/sync.rs", "hbb_common/src/config.rs"], "programRoutines": [{"name": "Strategy merge loop in sync.rs"}, {"name": "Config::set_options()"}], "repo": "https://github.com/rustdesk/rustdesk,https://github.com/rustdesk/hbb_common", "vendor": "rustdesk-client", "versions": [{"lessThanOrEqual": "1.4.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Client connected to any API server (Pro). MiTM or re-homing can also trigger."}], "value": "Client connected to any API server (Pro). MiTM or re-homing can also trigger."}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Erez Kalman"}, {"lang": "en", "type": "reporter", "value": "Erez Kalman"}], "datePublic": "2026-03-05T13:45:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle.<p> This vulnerability is associated with program files <tt>src/hbbs_http/sync.Rs</tt>, <tt>hbb_common/src/config.Rs</tt> and program routines <tt>Strategy merge loop in sync.Rs</tt>, <tt>Config::set_options()</tt>.</p><p>This issue affects RustDesk Client: through 1.4.5.</p>"}], "value": "A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files src/hbbs_http/sync.Rs, hbb_common/src/config.Rs and program routines Strategy merge loop in sync.Rs, Config::set_options().\n\nThis issue affects RustDesk Client: through 1.4.5."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "PoC available. Trivially exploitable.<br>"}], "value": "PoC available. Trivially exploitable."}], "impacts": [{"capecId": "CAPEC-384", "descriptions": [{"lang": "en", "value": "CAPEC-384 Application API Message Manipulation via Man-in-the-Middle"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 9.1, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-657", "description": "CWE-657", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "shortName": "VULSec", "dateUpdated": "2026-03-05T16:41:19.320Z"}, "references": [{"tags": ["technical-description", "x_--config documentation"], "url": "https://rustdesk.com/docs/en/self-host/client-configuration/advanced-settings/"}, {"tags": ["third-party-advisory", "exploit"], "url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"}, {"tags": ["vdb-entry", "third-party-advisory"], "url": "https://www.vulsec.org/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Enforce runtime toggle checks. Implement payload signing with server private key."}], "value": "Enforce runtime toggle checks. Implement payload signing with server private key."}], "source": {"discovery": "UNKNOWN"}, "title": "RustDesk Client Blindly Merges Unauthenticated Strategy Payloads, Bypassing Local Security Settings", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "None effective \u2014 <code>allow-remote-config-modification</code> toggle is ignored"}], "value": "None effective \u2014 allow-remote-config-modification toggle is ignored"}], "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T10:24:56.279793Z", "id": "CVE-2026-30792", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T10:25:16.901Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30792", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T10:24:56.279793Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T10:25:11.898Z"}}], "cna": {"title": "RustDesk Client Blindly Merges Unauthenticated Strategy Payloads, Bypassing Local Security Settings", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Erez Kalman"}, {"lang": "en", "type": "reporter", "value": "Erez Kalman"}], "impacts": [{"capecId": "CAPEC-384", "descriptions": [{"lang": "en", "value": "CAPEC-384 Application API Message Manipulation via Man-in-the-Middle"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/rustdesk/rustdesk,https://github.com/rustdesk/hbb_common", "vendor": "rustdesk-client", "modules": ["Strategy sync", "HTTP API client", "config options engine"], "product": "RustDesk Client", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.4.5"}], "platforms": ["Windows", "MacOS", "Linux", "iOS", "Android"], "packageName": "rustdesk-client", "programFiles": ["src/hbbs_http/sync.rs", "hbb_common/src/config.rs"], "collectionURL": "https://github.com/rustdesk/rustdesk/releases", "defaultStatus": "affected", "programRoutines": [{"name": "Strategy merge loop in sync.rs"}, {"name": "Config::set_options()"}]}], "exploits": [{"lang": "en", "value": "PoC available. Trivially exploitable.", "supportingMedia": [{"type": "text/html", "value": "PoC available. Trivially exploitable.<br>", "base64": false}]}], "solutions": [{"lang": "en", "value": "Enforce runtime toggle checks. Implement payload signing with server private key.", "supportingMedia": [{"type": "text/html", "value": "Enforce runtime toggle checks. Implement payload signing with server private key.", "base64": false}]}], "datePublic": "2026-03-05T13:45:00.000Z", "references": [{"url": "https://rustdesk.com/docs/en/self-host/client-configuration/advanced-settings/", "tags": ["technical-description", "x_--config documentation"]}, {"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub", "tags": ["third-party-advisory", "exploit"]}, {"url": "https://www.vulsec.org/", "tags": ["vdb-entry", "third-party-advisory"]}], "workarounds": [{"lang": "en", "value": "None effective \u2014 allow-remote-config-modification toggle is ignored", "supportingMedia": [{"type": "text/html", "value": "None effective \u2014 <code>allow-remote-config-modification</code> toggle is ignored", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files src/hbbs_http/sync.Rs, hbb_common/src/config.Rs and program routines Strategy merge loop in sync.Rs, Config::set_options().\n\nThis issue affects RustDesk Client: through 1.4.5.", "supportingMedia": [{"type": "text/html", "value": "A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle.<p> This vulnerability is associated with program files <tt>src/hbbs_http/sync.Rs</tt>, <tt>hbb_common/src/config.Rs</tt> and program routines <tt>Strategy merge loop in sync.Rs</tt>, <tt>Config::set_options()</tt>.</p><p>This issue affects RustDesk Client: through 1.4.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-657", "description": "CWE-657"}]}], "configurations": [{"lang": "en", "value": "Client connected to any API server (Pro). MiTM or re-homing can also trigger.", "supportingMedia": [{"type": "text/html", "value": "Client connected to any API server (Pro). MiTM or re-homing can also trigger.", "base64": false}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "shortName": "VULSec", "dateUpdated": "2026-03-05T16:41:19.320Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30792", "state": "PUBLISHED", "dateUpdated": "2026-03-06T10:25:16.901Z", "dateReserved": "2026-03-05T14:13:37.203Z", "assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "datePublished": "2026-03-05T15:14:43.719Z", "assignerShortName": "VULSec"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*", "matchCriteriaId": "14986BCF-B589-41F2-913D-2800283B452B", "versionEndIncluding": "1.4.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*", "matchCriteriaId": "B5415705-33E5-46D5-8E4D-9EBADC8C5705", "vulnerable": false}, {"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files src/hbbs_http/sync.Rs, hbb_common/src/config.Rs and program routines Strategy merge loop in sync.Rs, Config::set_options().\n\nThis issue affects RustDesk Client: through 1.4.5."}, {"lang": "es", "value": "Una vulnerabilidad en rustdesk-client RustDesk Client rustdesk-client en Windows, MacOS, Linux, iOS, Android, WebClient (sincronizaci\u00f3n de estrategia, cliente API HTTP, m\u00f3dulos del motor de opciones de configuraci\u00f3n) permite la manipulaci\u00f3n de mensajes de la API de la aplicaci\u00f3n a trav\u00e9s de Man-in-the-Middle. Esta vulnerabilidad est\u00e1 asociada con los archivos de programa src/hbbs_http/sync.Rs, hbb_common/src/config.Rs y las rutinas de programa bucle de fusi\u00f3n de estrategia en sync.Rs, Config::set_options().\n\nEste problema afecta a RustDesk Client: a trav\u00e9s de 1.4.5."}], "id": "CVE-2026-30792", "lastModified": "2026-03-25T15:35:30.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "type": "Secondary"}]}, "published": "2026-03-05T16:16:19.840", "references": [{"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "tags": ["Exploit", "Third Party Advisory"], "url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"}, {"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "tags": ["Product", "Vendor Advisory"], "url": "https://rustdesk.com/docs/en/self-host/client-configuration/advanced-settings/"}, {"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "tags": ["Not Applicable"], "url": "https://www.vulsec.org/"}], "sourceIdentifier": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-657"}], "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows", "macos", "linux", "ios", "android"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.5]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "RustDesk Client", "source": "cna", "vendor": "rustdesk-client"}, "product": "rustdesk_client", "vendor": "rustdesk-client"}], "created": "2026-03-06T15:07:35.570879+00:00", "updated": "2026-03-06T15:07:35.570992+00:00", "vendors": ["rustdesk-client", "rustdesk-client$PRODUCT$rustdesk_client"]}