CVE-2026-30784 PUBLISHED

RustDesk hbbs/hbbr Servers Broker Connections Without Any Authorization Check

Assigner: VULSec
Reserved: 05.03.2026 Published: 05.03.2026 Updated: 06.03.2026

Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding.

This issue affects RustDesk Server: through 1.7.5, through 1.1.15.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
CVSS Score: 8.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	rustdesk-server
Product	RustDesk Server
Versions	Default: affected affected from 0 to 1.7.5 (incl.) affected from 0 to 1.1.15 (incl.)

Affected Configurations

Default — any hbbs/hbbr deployment (OSS or Pro)

Exploits

PoC available.

Workarounds

Restrict network access to hbbs/hbbr ports (21116, 21117) via firewall. Use strong passwords.

Solutions

Implement Signed Session Authorization Tokens validated by hbbs and hbbr

Credits

Erez Kalman finder
Erez Kalman reporter

References

Problem Types

CWE-862 Missing Authorization CWE
CWE-306 Missing Authentication for Critical Function CWE

Impacts

CAPEC-122 Privilege Abuse