Skip to main content

RustDesk CVE-2026-57850

| EUVDEUVD-2026-43008 HIGH
Missing Authorization (CWE-862)
2026-07-10 disclosure@vulncheck.com GHSA-83jc-7j6x-wvj9
8.7
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.3 HIGH

Network-reachable escalation by an already-authenticated limited-session peer (PR:L), no user interaction, yielding full screen/control (C:H/I:H) with minor availability effect (A:L); scope unchanged.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 21:02 EUVD
Analysis Generated
Jul 10, 2026 - 20:34 vuln.today

DescriptionCVE.org

RustDesk before 1.4.9 does not enforce a session's authorized connection scope on the server side, so a peer granted a limited session type (FileTransfer, PortForward, ViewCamera, or Terminal) can send control messages and login options reserved for a full Remote session. An authenticated remote peer can exploit this missing scope check to act outside its granted scope, injecting out-of-scope control messages to observe and control the host beyond the permissions it was given.

AnalysisAI

Privilege escalation within RustDesk before 1.4.9 lets an authenticated peer that was granted only a limited session type (FileTransfer, PortForward, ViewCamera, or Terminal) send control messages and login options reserved for a full Remote session, because the server never re-validates a session's authorized scope. The result is that a peer given, for example, file-transfer-only access can observe and control the host's screen and input as if it held full remote-control rights. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain authorized limited session (FileTransfer/PortForward/ViewCamera/Terminal)
Delivery
Craft out-of-scope control and login-option messages
Exploit
Send to host lacking server-side scope check
Execution
Server honors messages as full Remote
Impact
Observe screen and control host beyond granted scope

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker already hold an authenticated, established RustDesk session of a limited type - specifically FileTransfer, PortForward, ViewCamera, or Terminal - against a host running a version before 1.4.9; from that granted-but-narrow session the peer injects control messages and login options reserved for a full Remote session. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N, VC:H/VI:H/VA:L, base 8.7 High) indicates network-reachable, low-complexity exploitation requiring only low privileges (an already-authenticated peer holding a limited session) and no user interaction, with high confidentiality and integrity impact - consistent with the description of a peer breaking out of its granted scope to view and control the host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An organization grants an outside support contractor a FileTransfer-only RustDesk session to drop a file onto a host. Instead of staying within file transfer, the contractor's client injects control and login-option messages reserved for a full Remote session, and because the server does not enforce the session's scope, they gain live screen viewing and keyboard/mouse control of the machine. …
Remediation Upgrade to RustDesk 1.4.9 or later, which adds the missing server-side session-scope enforcement (Vendor-released patch: 1.4.9, https://github.com/rustdesk/rustdesk/releases/tag/1.4.9; fix in PR #15469 / commit 493b14b). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all RustDesk deployments and affected versions; disable RustDesk for sensitive systems if versions before 1.4.9 are in use; assess risk from users with limited-scope access permissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57850 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy