CVE-2026-2490

RustDesk Client for Windows Transfer File Link Following Information Disclosure Vulnerability

Assigner: zdi
Reserved: 13.02.2026 Published: 20.02.2026 Updated: 20.02.2026

RustDesk Client for Windows Transfer File Link Following Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of RustDesk Client for Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the Transfer File feature. By uploading a symbolic link, an attacker can abuse the service to read arbitrary files. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-27909.

Metrics

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 5.5

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.0

Product Status

Vendor	RustDesk
Product	Client for Windows
Versions	Default: unknown Version 1.4.1 is affected

Vendor

RustDesk

Product

Client for Windows

Versions

Default: unknown

Version 1.4.1 is affected

References

Problem Types

CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE

CVE-2026-2490 PUBLISHED

RustDesk Client for Windows Transfer File Link Following Information Disclosure Vulnerability

Metrics

Product Status

References

Problem Types