PT-2026-57308 · Rustdesk · Rustdesk

Sanket Sharma

+1

·

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-57850

CVSS v3.1

8.3

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
RustDesk before 1.4.9 does not enforce a session's authorized connection scope on the server side, so a peer granted a limited session type (FileTransfer, PortForward, ViewCamera, or Terminal) can send control messages and login options reserved for a full Remote session. An authenticated remote peer can exploit this missing scope check to act outside its granted scope, injecting out-of-scope control messages to observe and control the host beyond the permissions it was given.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-57850

Affected Products

Rustdesk