Description
Missing Authorization vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, config import modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files flutter/lib/common.Dart and program routines importConfig() via URI handler.

This issue affects RustDesk Client: through 1.4.5.
Published: 2026-03-05
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote configuration hijacking leading to unauthorized remote control
Action: Patch Now
AI Analysis

Impact

Missing authorization in RustDesk Client allows an attacker to manipulate application API messages through a man‑in‑the‑middle or malicious URI, enabling the client to be silently re‑homed to an attacker‑controlled server. This flaw permits unauthorized modification of connection settings and grants the attacker full control of subsequent remote sessions, potentially exposing sensitive data and remote operations. The weakness is classified under CWE-749 (Deserialization of Untrusted Data) and CWE-862 (Missing Authorization).

Affected Systems

The vulnerability affects the RustDesk Client (rustdesk-client) on Windows, macOS, Linux, iOS, and Android, through versions up to and including 1.4.5. Any installation that accepts URI scheme handlers or imports configuration files is at risk.

Risk and Exploitability

The CVSS score of 9.3 marks it as critical, yet the EPSS score is less than 1 % indicating a low current likelihood of exploitation. It is not listed in the CISA KEV catalog. Exploitation requires an attacker to deliver a crafted rustdesk:// URI or configuration file, or to intercept the client’s configuration import process. Because no user confirmation is performed, the client silently applies the malicious settings. The obvious attack path is through phishing or compromised directories where an attacker can drop a malicious config. Even though the likelihood is low, the potential impact is high, justifying a prompt response.

Generated by OpenCVE AI on April 16, 2026 at 12:20 UTC.

Remediation

Vendor Solution

Require admin elevation and user confirmation. Add config to disable. Sign config payloads.

Vendor Workaround

Unregister the rustdesk:// URI scheme handler at OS level

OpenCVE Recommended Actions

  • Apply the vendor’s recommended fix: enable admin elevation and require user confirmation for configuration changes, add a configuration option to disable automatic config import, and configure the client to verify signed configuration payloads.
  • If the client does not yet support the above safeguards, unregister the rustdesk:// URI scheme handler at the operating‑system level to prevent automatic re‑homing.
  • Monitor for vendor updates that incorporate these safeguards, and apply any available patches or newer releases as soon as they are released.

Generated by OpenCVE AI on April 16, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
CPEs cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, config import modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files flutter/lib/common.Dart and program routines importConfig() via URI handler. This issue affects RustDesk Client: through 1.4.5.
Title RustDesk rustdesk://config/ URI Silently Re-homes Client to Attacker-Controlled Server
First Time appeared Rustdesk-client
Rustdesk-client rustdesk Client
Weaknesses CWE-749
CWE-862
CPEs cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-client
Rustdesk-client rustdesk Client
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Apple Iphone Os Macos
Google Android
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk
Rustdesk-client Rustdesk Client
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-03-17T14:31:59.164Z

Reserved: 2026-03-05T14:13:37.203Z

Link: CVE-2026-30797

cve-icon Vulnrichment

Updated: 2026-03-05T16:32:59.930Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:21.140

Modified: 2026-03-25T16:16:29.883

Link: CVE-2026-30797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:30:06Z

Weaknesses