Skip to main content

RustDesk Client CVE-2026-30792

HIGH
Violation of Secure Design Principles (CWE-657)
2026-03-05 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe
8.3
CVSS 4.0 · Vendor: 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe
Share

Severity by source

Vendor (2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.0 HIGH

Network-reachable sync endpoint (AV:N) but exploitation requires an MitM foothold (AC:H); no client auth or interaction (PR:N/UI:N); attacker rewrites config so integrity is high, with limited confidentiality and availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe).

CVSS VectorVendor: 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 22, 2026 - 10:45 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 22, 2026 - 10:44 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 22, 2026 - 10:37 vuln.today
cvss_changed
Severity Changed
Jun 22, 2026 - 10:37 NVD
CRITICAL HIGH
CVSS changed
Jun 22, 2026 - 10:37 NVD
9.1 (CRITICAL) 8.3 (HIGH)
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 16:16 nvd
CRITICAL 9.1

DescriptionCVE.org

A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files src/hbbs_http/sync.Rs, hbb_common/src/config.Rs and program routines Strategy merge loop in sync.Rs, Config::set_options().

This issue affects RustDesk Client: through 1.4.5.

AnalysisAI

Configuration tampering in RustDesk Client through 1.4.5 allows a network-positioned attacker to manipulate Application API messages exchanged between the client and its rendezvous/sync server, altering client strategy and configuration options. The flaw spans every supported platform (Windows, macOS, Linux, iOS, Android, WebClient) and stems from insecure handling in the Strategy merge loop and Config::set_options(), giving an MitM attacker the ability to silently rewrite client behavior. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.05% (16th percentile).

Technical ContextAI

RustDesk is a Rust-based open-source remote desktop suite whose clients periodically synchronize policy and configuration with a server-side strategy via an HTTP API. The vulnerable code paths are src/hbbs_http/sync.rs (the Strategy merge loop that pulls server-pushed options into the local config) and hbb_common/src/config.rs (Config::set_options() which applies the merged values). CWE-657 (Violation of Secure Design Principles) reflects that the client merges and applies remote configuration without enforcing channel integrity or message authenticity, so an attacker controlling the network path can substitute or modify the JSON/API payloads that drive client behavior. The affected CPE is cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*, but the description explicitly covers all platform builds.

RemediationAI

No vendor-released patch identified at time of analysis; the description states the issue affects RustDesk Client through 1.4.5, so monitor the project for a release above 1.4.5 and upgrade as soon as one is published (track the vendor advisory at https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub and the VulDB record at https://vuldb.com/?id.349201). Until a fix ships, restrict the network path between clients and the self-hosted hbbs/hbbr server to trusted segments and front the sync HTTP API with a strict TLS terminator that you control end-to-end, refusing any intermediary that can rewrite traffic (side effect: clients on hostile networks such as captive portals or roaming users behind TLS-inspecting proxies may be unable to connect). Operators of self-hosted deployments should also lock down the advanced-settings options surface documented at https://rustdesk.com/docs/en/self-host/client-configuration/advanced-settings/ so that any tampered values land in a known-safe baseline, and consider pinning clients to a private CA to detect MitM. Avoid using public/community RustDesk relays for sensitive deployments until a patched build is confirmed.

Share

CVE-2026-30792 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy