CVE-2026-30783 PUBLISHED

RustDesk Client Can Orphan API Channel to Ignore All Admin Commands and ACL Policies

Assigner: VULSec
Reserved: 05.03.2026 Published: 05.03.2026 Updated: 06.03.2026

A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_mediator.Rs, src/hbbs_http/sync.Rs and program routines API sync loop, api-server config handling.

This issue affects RustDesk Client: through 1.4.5.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
CVSS Score: 8.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	rustdesk-client
Product	RustDesk Client
Versions	Default: affected affected from 0 to 1.4.5 (incl.)

Affected Configurations

Default — any client deployment (OSS or Pro)

Exploits

PoC available. Trivially exploitable.

Workarounds

Restrict physical/remote access to RustDesk config files

Solutions

Move enforcement to server side. Require Signed Session Authorization Tokens.

Credits

Erez Kalman finder
Erez Kalman reporter

References

Problem Types

CWE-602 CWE
CWE-841 CWE

Impacts

CAPEC-122 Privilege Abuse