Platform
rust
Component
rustdesk-server
Fixed in
1.7.6
1.1.16
CVE-2026-30784 describes a critical Missing Authorization and Authentication vulnerability discovered in RustDesk Server. This flaw allows for Privilege Abuse, potentially granting attackers unauthorized access and control over the server. The vulnerability impacts versions 0.0 through 1.7.5 and 1.1.15 across all server platforms, specifically the Rendezvous server (hbbs) and relay server (hbbr) modules. A fix is expected to be released by the vendor.
The core of this vulnerability lies in the inadequate authorization and authentication checks within the RustDesk Server's Rendezvous and relay server modules. Attackers can exploit this to bypass security controls and gain elevated privileges. Successful exploitation could lead to unauthorized access to sensitive data, modification of server configurations, and even complete control over the server infrastructure. The handlepunchhole_request() and RegisterPeer handlers, as well as relay forwarding routines, are particularly vulnerable. The potential impact is significant, especially considering RustDesk's use in remote access scenarios, where compromised servers could expose user data and systems to malicious actors.
CVE-2026-30784 was publicly disclosed on 2026-03-05. Currently, there are no known public proof-of-concept exploits available. The EPSS score for this vulnerability is pending evaluation. It is listed on the NVD. Active campaigns are not currently confirmed, but the severity of the vulnerability warrants proactive monitoring and mitigation.
Exploit Status
EPSS
0.15% (36% percentile)
CISA SSVC
The primary mitigation for CVE-2026-30784 is to upgrade to a patched version of RustDesk Server as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds to reduce the attack surface. These may include restricting network access to the server, implementing stricter firewall rules to limit inbound connections, and carefully reviewing and auditing server configurations. Monitoring logs for suspicious activity related to the handlepunchhole_request() and RegisterPeer handlers is also recommended. After upgrading, verify the fix by attempting to connect to the server using unauthorized credentials and confirming that access is denied.
Update RustDesk Server to a version later than 1.7.5 and 1.1.15 to fix the missing authorization and authentication vulnerabilities. Refer to the official RustDesk documentation for detailed instructions on how to perform the update safely.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30784 is a Missing Authorization/Authentication vulnerability in RustDesk Server versions 0.0 - 1.7.5 and 1.1.15, allowing attackers to gain unauthorized privileges.
If you are running RustDesk Server versions 0.0 through 1.7.5 or 1.1.15, you are potentially affected by this vulnerability.
Upgrade to a patched version of RustDesk Server as soon as it becomes available. Until then, implement temporary workarounds like restricting network access and monitoring logs.
Currently, there are no confirmed active exploitation campaigns, but the vulnerability's severity warrants proactive monitoring.
Refer to the official RustDesk security advisories on their website or GitHub repository for updates and announcements regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.