Multiple high-severity CVEs in RustDesk allow privilege abuse, MitM across platforms

Multiple high-severity vulnerabilities in RustDesk client code affect Windows, macOS, Linux, iOS, Android, and in some entries WebClient, with affected releases reported as "RustDesk Client: through 1.4.5." The March 5, 2026 CVE batch reproduced by OpenCVE and Tenable, and a separate SentinelOne write-up dated February 27, 2026, describe a sweep of issues ranging from CSRF and API message tampering to weak hashing and improper TLS validation.

The most striking entry, CVE-2026-30793, is described as a Cross-Site Request Forgery that uses the Flutter URI scheme, specifically the URI handler for "rustdesk://password/" and the FFI bridge code in flutter/lib/common.Dart and src/flutter_ffi.Rs, to invoke bind.MainSetPermanentPassword(). Tenable lists CVSS v3 base score 8.8 and shows Published and Updated dates of 2026-03-05, while Anonhaven and several feeds list the same CVE with CVSS 9.3 and the explicit behavior that a crafted "rustdesk://password/" link "sets a permanent access password on the victim's RustDesk client without any confirmation dialog."

OpenCVE catalogs CVE-2026-30783 and CVE-2026-30789 as client-side "Privilege Abuse" and "Application API Message Manipulation via Man-in-the-Middle," tying those problems to src/hbbs_http/sync.Rs, hbb_common/src/config.Rs, and src/rendezvous_mediator.Rs, and to routines such as the API sync loop, Strategy merge loop in sync.Rs, and Config::set_options(). Anonhaven attributes CVE-2026-30789 differently, stating "The hash_password() function in src/client.rs uses weak cryptographic hashing, letting an attacker reuse intercepted session hashes," and assigns CVSS 9.3, a conflict in root-cause location that the published feeds do not reconcile.

Anonhaven’s roundup adds further client weaknesses in the March 5 set: CVE-2026-30790, described as "no brute-force protection" with the phrasing "RustDesk imposes zero limits on authentication attempts," CVE-2026-30792, described as API message manipulation allowing a MitM attacker to alter "client strategies and configurations in transit," and CVE-2026-30794, which states that "Under certain conditions, the client calls danger_accept_invalid_certs(true), enabling adversary-in-the-middle (AiTM) attacks." Each of those entries carries high CVSS values in the Anonhaven text, 9.1 or 9.3 as listed.

Separately, SentinelOne’s February 27, 2026 piece on CVE-2026-2490 analyzes a Windows-only Transfer File flaw classified as CWE-59, a link following information disclosure vulnerability. SentinelOne explains that "When a low-privileged user creates a symbolic link pointing to a protected file and uploads it through the RustDesk file transfer mechanism, the service resolves the link and reads the target file with SYSTEM privileges rather than the user's restricted permissions," and warns that an attacker must first have the ability to execute low-privileged code to exploit the bug.

None of the supplied excerpts include a vendor-published patch version or official mitigation steps; OpenCVE and Tenable entries repeatedly list affected releases as "through 1.4.5," and SentinelOne and other feeds do not report fixed releases. The reporting gaps include conflicting file-level attributions for CVE-2026-30789 and divergent CVSS values for CVE-2026-30793, facts security teams will need RustDesk to clarify. I asked RustDesk to confirm patched version numbers, to explain whether bind.MainSetPermanentPassword() or hash_password() have been changed, and to advise mitigations such as disabling URI handlers or constraining file-transfer privileges if patches are not yet available.

The March 5 roundup that surfaced these RustDesk entries also listed unrelated items such as CVE-2026-3459 for a WordPress plugin and CVE-2025-13350 for an Ubuntu privilege escalation; those appeared alongside the RustDesk cluster in Anonhaven’s coverage. Until RustDesk provides official releases or advisories, administrators should treat clients through 1.4.5 as potentially affected and prioritize verification and containment based on the explicit attack prerequisites and code locations reported above.