{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30793", "assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "state": "PUBLISHED", "assignerShortName": "VULSec", "dateReserved": "2026-03-05T14:13:37.203Z", "datePublished": "2026-03-05T15:21:03.405Z", "dateUpdated": "2026-03-17T14:30:50.566Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/rustdesk/rustdesk/releases", "defaultStatus": "affected", "modules": ["Flutter URI scheme handler", "FFI bridge"], "packageName": "rustdesk-client", "platforms": ["Windows", "MacOS", "Linux", "iOS", "Android"], "product": "RustDesk Client", "programFiles": ["flutter/lib/common.dart", "src/flutter_ffi.rs"], "programRoutines": [{"name": "URI handler for rustdesk://password/"}, {"name": "bind.mainSetPermanentPassword()"}], "repo": "https://github.com/rustdesk/rustdesk,https://github.com/rustdesk/hbb_common", "vendor": "rustdesk-client", "versions": [{"lessThanOrEqual": "1.4.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Default \u2014 RustDesk installed with URI scheme handler registered"}], "value": "Default \u2014 RustDesk installed with URI scheme handler registered"}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*", "versionEndIncluding": "1.4.5", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Erez Kalman"}, {"lang": "en", "type": "reporter", "value": "Erez Kalman"}], "datePublic": "2026-03-05T13:45:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, FFI bridge modules) allows Privilege Escalation.<p> This vulnerability is associated with program files <tt>flutter/lib/common.Dart</tt>, <tt>src/flutter_ffi.Rs</tt> and program routines <tt>URI handler for rustdesk://password/</tt>, <tt>bind.MainSetPermanentPassword()</tt>.</p><p>This issue affects RustDesk Client: through 1.4.5.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, FFI bridge modules) allows Privilege Escalation. This vulnerability is associated with program files flutter/lib/common.Dart, src/flutter_ffi.Rs and program routines URI handler for rustdesk://password/, bind.MainSetPermanentPassword().\n\nThis issue affects RustDesk Client: through 1.4.5."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "PoC available. Trivially exploitable.<br>"}], "value": "PoC available. Trivially exploitable."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "shortName": "VULSec", "dateUpdated": "2026-03-05T16:44:10.703Z"}, "references": [{"tags": ["product"], "url": "https://github.com/rustdesk/rustdesk"}, {"tags": ["product"], "url": "https://github.com/rustdesk/hbb_common"}, {"tags": ["third-party-advisory", "exploit"], "url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"}, {"tags": ["vdb-entry", "third-party-advisory"], "url": "https://www.vulsec.org/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Synchronize privilege logic between CLI and GUI. Require user confirmation. Add config to disable."}], "value": "Synchronize privilege logic between CLI and GUI. Require user confirmation. Add config to disable."}], "source": {"discovery": "UNKNOWN"}, "title": "RustDesk Flutter URI Handler Sets Permanent Password Without Privilege Check or User Confirmation", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unregister the <code>rustdesk://</code> URI scheme handler at OS level"}], "value": "Unregister the rustdesk:// URI scheme handler at OS level"}], "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T14:30:47.078828Z", "id": "CVE-2026-30793", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T14:30:50.566Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30793", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-17T14:30:47.078828Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T16:37:05.264Z"}}], "cna": {"title": "RustDesk Flutter URI Handler Sets Permanent Password Without Privilege Check or User Confirmation", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Erez Kalman"}, {"lang": "en", "type": "reporter", "value": "Erez Kalman"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/rustdesk/rustdesk,https://github.com/rustdesk/hbb_common", "vendor": "rustdesk-client", "modules": ["Flutter URI scheme handler", "FFI bridge"], "product": "RustDesk Client", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.4.5"}], "platforms": ["Windows", "MacOS", "Linux", "iOS", "Android"], "packageName": "rustdesk-client", "programFiles": ["flutter/lib/common.dart", "src/flutter_ffi.rs"], "collectionURL": "https://github.com/rustdesk/rustdesk/releases", "defaultStatus": "affected", "programRoutines": [{"name": "URI handler for rustdesk://password/"}, {"name": "bind.mainSetPermanentPassword()"}]}], "exploits": [{"lang": "en", "value": "PoC available. Trivially exploitable.", "supportingMedia": [{"type": "text/html", "value": "PoC available. Trivially exploitable.<br>", "base64": false}]}], "solutions": [{"lang": "en", "value": "Synchronize privilege logic between CLI and GUI. Require user confirmation. Add config to disable.", "supportingMedia": [{"type": "text/html", "value": "Synchronize privilege logic between CLI and GUI. Require user confirmation. Add config to disable.", "base64": false}]}], "datePublic": "2026-03-05T13:45:00.000Z", "references": [{"url": "https://github.com/rustdesk/rustdesk", "tags": ["product"]}, {"url": "https://github.com/rustdesk/hbb_common", "tags": ["product"]}, {"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub", "tags": ["third-party-advisory", "exploit"]}, {"url": "https://www.vulsec.org/", "tags": ["vdb-entry", "third-party-advisory"]}], "workarounds": [{"lang": "en", "value": "Unregister the rustdesk:// URI scheme handler at OS level", "supportingMedia": [{"type": "text/html", "value": "Unregister the <code>rustdesk://</code> URI scheme handler at OS level", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, FFI bridge modules) allows Privilege Escalation. This vulnerability is associated with program files flutter/lib/common.Dart, src/flutter_ffi.Rs and program routines URI handler for rustdesk://password/, bind.MainSetPermanentPassword().\n\nThis issue affects RustDesk Client: through 1.4.5.", "supportingMedia": [{"type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, FFI bridge modules) allows Privilege Escalation.<p> This vulnerability is associated with program files <tt>flutter/lib/common.Dart</tt>, <tt>src/flutter_ffi.Rs</tt> and program routines <tt>URI handler for rustdesk://password/</tt>, <tt>bind.MainSetPermanentPassword()</tt>.</p><p>This issue affects RustDesk Client: through 1.4.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "configurations": [{"lang": "en", "value": "Default \u2014 RustDesk installed with URI scheme handler registered", "supportingMedia": [{"type": "text/html", "value": "Default \u2014 RustDesk installed with URI scheme handler registered", "base64": false}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.4.5", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "shortName": "VULSec", "dateUpdated": "2026-03-05T16:44:10.703Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30793", "state": "PUBLISHED", "dateUpdated": "2026-03-17T14:30:50.566Z", "dateReserved": "2026-03-05T14:13:37.203Z", "assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "datePublished": "2026-03-05T15:21:03.405Z", "assignerShortName": "VULSec"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*", "matchCriteriaId": "14986BCF-B589-41F2-913D-2800283B452B", "versionEndIncluding": "1.4.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*", "matchCriteriaId": "B5415705-33E5-46D5-8E4D-9EBADC8C5705", "vulnerable": false}, {"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, FFI bridge modules) allows Privilege Escalation. This vulnerability is associated with program files flutter/lib/common.Dart, src/flutter_ffi.Rs and program routines URI handler for rustdesk://password/, bind.MainSetPermanentPassword().\n\nThis issue affects RustDesk Client: through 1.4.5."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en rustdesk-client RustDesk Client rustdesk-client en Windows, MacOS, Linux, iOS, Android (gestor de esquema URI de Flutter, m\u00f3dulos de puente FFI) permite la escalada de privilegios. Esta vulnerabilidad est\u00e1 asociada con los archivos de programa flutter/lib/common.Dart, src/flutter_ffi.Rs y las rutinas de programa gestor URI para rustdesk://password/, bind.MainSetPermanentPassword(). Este problema afecta a RustDesk Client: hasta la versi\u00f3n 1.4.5."}], "id": "CVE-2026-30793", "lastModified": "2026-03-25T15:34:35.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "type": "Secondary"}]}, "published": "2026-03-05T16:16:20.037", "references": [{"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "tags": ["Third Party Advisory", "Exploit"], "url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"}, {"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "tags": ["Product"], "url": "https://github.com/rustdesk/hbb_common"}, {"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "tags": ["Product"], "url": "https://github.com/rustdesk/rustdesk"}, {"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "tags": ["Not Applicable"], "url": "https://www.vulsec.org/"}], "sourceIdentifier": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-352"}], "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows", "macos", "linux", "ios", "android"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.4.5]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "RustDesk Client", "source": "cna", "vendor": "rustdesk-client"}, "product": "rustdesk_client", "vendor": "rustdesk-client"}], "created": "2026-03-06T15:07:34.719497+00:00", "updated": "2026-03-06T15:07:34.719582+00:00", "vendors": ["rustdesk-client", "rustdesk-client$PRODUCT$rustdesk_client"]}