Description
Cross-Site Request Forgery (CSRF) vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, FFI bridge modules) allows Privilege Escalation. This vulnerability is associated with program files flutter/lib/common.Dart, src/flutter_ffi.Rs and program routines URI handler for rustdesk://password/, bind.MainSetPermanentPassword().

This issue affects RustDesk Client: through 1.4.5.
Published: 2026-03-05
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

A Cross‑Site Request Forgery vulnerability exists in the Flutter URI scheme handler of RustDesk Client, allowing an attacker to invoke the rustdesk://password/ URI and set a permanent password for the user without performing a privilege check or prompting for confirmation. This flaw effectively bypasses authorization controls, granting an attacker unauthorized control of the user’s account. The weakness is categorized as CWE‑285 (Authorization Bypass Through User‑Controlled Key) and CWE‑352 (Cross‑Site Request Forgery).

Affected Systems

The issue affects all RustDesk Client platforms, including Windows, macOS, Linux, iOS, and Android, through the Flutter URI scheme handler and its FFI bridge modules. Versions up to and including 1.4.5 are vulnerable.

Risk and Exploitability

The CVSS base score of 9.3 indicates a critical severity, while the current EPSS score of less than 1% suggests the likelihood of exploitation remains low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker able to invoke the rustdesk://password URI—such as via a malicious webpage or compromised application—without user confirmation or privilege checks; this inference is drawn from the description that the URI handler sets a permanent password. Exploitation requires that the victim has RustDesk Client installed and the rustdesk:// scheme registered.

Generated by OpenCVE AI on April 17, 2026 at 12:44 UTC.

Remediation

Vendor Solution

Synchronize privilege logic between CLI and GUI. Require user confirmation. Add config to disable.

Vendor Workaround

Unregister the rustdesk:// URI scheme handler at OS level

OpenCVE Recommended Actions

  • Apply the official patch that synchronizes privilege logic between the command‑line interface and the graphical user interface, requires user confirmation when setting a permanent password, and adds a configuration option to disable the URI handler.
  • Unregister the rustdesk:// URI scheme handler at the operating system level to block external invocation of the vulnerable endpoint.
  • Disable automatic handling of rustdesk:// password URIs or enforce explicit user confirmation before processing them, following vendor guidance.

Generated by OpenCVE AI on April 17, 2026 at 12:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
CPEs cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, FFI bridge modules) allows Privilege Escalation. This vulnerability is associated with program files flutter/lib/common.Dart, src/flutter_ffi.Rs and program routines URI handler for rustdesk://password/, bind.MainSetPermanentPassword(). This issue affects RustDesk Client: through 1.4.5.
Title RustDesk Flutter URI Handler Sets Permanent Password Without Privilege Check or User Confirmation
First Time appeared Rustdesk-client
Rustdesk-client rustdesk Client
Weaknesses CWE-285
CWE-352
CPEs cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-client
Rustdesk-client rustdesk Client
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Apple Iphone Os Macos
Google Android
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk
Rustdesk-client Rustdesk Client
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-03-17T14:30:50.566Z

Reserved: 2026-03-05T14:13:37.203Z

Link: CVE-2026-30793

cve-icon Vulnrichment

Updated: 2026-03-05T16:37:05.264Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:20.037

Modified: 2026-03-25T15:34:35.820

Link: CVE-2026-30793

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses