Description
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files src/hbbs_http/sync.Rs, hbb_common/src/config.Rs and program routines Strategy merge loop in sync.Rs, Config::set_options().

This issue affects RustDesk Client: through 1.4.5.
Published: 2026-03-05
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Configuration Tampering
Action: Immediate Update
AI Analysis

Impact

A flaw in the RustDesk Client allows an attacker to inject strategy payloads that are merged without authentication during configuration synchronization. Based on the description, the likely attack vector involves a Man‑in‑the‑Middle intercepting unprotected API messages to inject malformed strategy payloads. The violation occurs through an unprotected API message manipulation channel, enabling a Man‑in‑the‑Middle to alter or replace configuration options. This bypasses local security settings and can potentially grant the attacker elevated privileges or persistent control over the client environment.

Affected Systems

All versions of the RustDesk Client up to and including 1.4.5 on Windows, macOS, Linux, iOS, Android, and the WebClient are affected. The weakness resides in the client’s configuration engine, specifically the strategy merge loop and the Config::set_options function.

Risk and Exploitability

Based on the description, exploitation would typically require a Man‑in‑the‑Middle capable of intercepting and injecting messages between the client and server. The vulnerability carries a CVSS score of 9.1, indicating critical severity. The EPSS score is below 1 %, suggesting a low but non‑zero probability of public exploitation, and the issue is not listed in the CISA KEV catalog. Once an unauthenticated strategy payload is merged, the attacker can change security‑related settings, effectively elevating privileges or establishing a foothold. Because no effective workaround exists, immediate mitigation through an upgrade or proper runtime checks is essential.

Generated by OpenCVE AI on April 17, 2026 at 12:45 UTC.

Remediation

Vendor Solution

Enforce runtime toggle checks. Implement payload signing with server private key.

Vendor Workaround

None effective — allow-remote-config-modification toggle is ignored

OpenCVE Recommended Actions

  • Upgrade to RustDesk Client version 1.4.6 or later to apply the vendor‑supplied fix.
  • Configure the client to enforce runtime toggle checks for the allow‑remote‑config‑modification setting.
  • Implement or enable signing of strategy payloads using a server‑side private key and verify signatures on the client before merging.

Generated by OpenCVE AI on April 17, 2026 at 12:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
CPEs cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files src/hbbs_http/sync.Rs, hbb_common/src/config.Rs and program routines Strategy merge loop in sync.Rs, Config::set_options(). This issue affects RustDesk Client: through 1.4.5.
Title RustDesk Client Blindly Merges Unauthenticated Strategy Payloads, Bypassing Local Security Settings
First Time appeared Rustdesk-client
Rustdesk-client rustdesk Client
Weaknesses CWE-657
CPEs cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-client
Rustdesk-client rustdesk Client
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Apple Iphone Os Macos
Google Android
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk
Rustdesk-client Rustdesk Client
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-03-06T10:25:16.901Z

Reserved: 2026-03-05T14:13:37.203Z

Link: CVE-2026-30792

cve-icon Vulnrichment

Updated: 2026-03-06T10:25:11.898Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:19.840

Modified: 2026-03-25T15:35:30.493

Link: CVE-2026-30792

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:11Z

Weaknesses