Description
RustDesk before 1.4.9 does not enforce a session's authorized connection scope on the server side, so a peer granted a limited session type (FileTransfer, PortForward, ViewCamera, or Terminal) can send control messages and login options reserved for a full Remote session. An authenticated remote peer can exploit this missing scope check to act outside its granted scope, injecting out-of-scope control messages to observe and control the host beyond the permissions it was given.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Fri, 10 Jul 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | RustDesk before 1.4.9 does not enforce a session's authorized connection scope on the server side, so a peer granted a limited session type (FileTransfer, PortForward, ViewCamera, or Terminal) can send control messages and login options reserved for a full Remote session. An authenticated remote peer can exploit this missing scope check to act outside its granted scope, injecting out-of-scope control messages to observe and control the host beyond the permissions it was given. | |
| Title | RustDesk before 1.4.9 Missing Session Scope Enforcement Allows Out-of-Scope Control Message Injection | |
| First Time appeared |
Rustdesk
Rustdesk rustdesk |
|
| Weaknesses | CWE-862 | |
| CPEs | cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Rustdesk
Rustdesk rustdesk |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-10T21:06:33.323Z
Reserved: 2026-06-25T18:48:00.282Z
Link: CVE-2026-57850
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-862
Missing Authorization