Platform
flutter
Component
rustdesk
Fixed in
1.4.6
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in RustDesk Client versions 0.0 through 1.4.5. This vulnerability allows an attacker to potentially escalate privileges by crafting malicious requests that exploit the application's URI handling routines. The affected components include the Flutter application, FFI bridge modules, and specific routines like rustdesk://password/ and bind.MainSetPermanentPassword(). A fix is available; upgrade to a patched version to address this security concern.
The CSRF vulnerability in RustDesk Client allows an attacker to trick a legitimate user into unknowingly executing malicious actions within the application. Specifically, an attacker could leverage this flaw to modify the user's permanent password via the rustdesk://password/ URI handler, effectively gaining unauthorized access to the user's RustDesk session. The attack surface spans multiple platforms including Windows, MacOS, Linux, iOS, and Android, increasing the potential blast radius. Successful exploitation could lead to data breaches, unauthorized remote access, and potential compromise of systems connected to the RustDesk service. While no direct precedent exists for this specific vulnerability, CSRF vulnerabilities generally pose a significant risk due to their ease of exploitation and potential for widespread impact.
CVE-2026-30793 was publicly disclosed on 2026-03-05. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog, suggesting a low to medium probability of exploitation given the lack of public tooling and confirmed attacks.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
The primary mitigation for CVE-2026-30793 is to upgrade to a patched version of RustDesk Client. The vendor has not released a specific fixed version as of this writing, but monitor their official channels for updates. As a temporary workaround, consider implementing strict Content Security Policy (CSP) headers to restrict the origins from which RustDesk Client can load resources. Additionally, educate users about the risks of clicking on suspicious links and entering credentials on untrusted websites. After upgrading, verify the fix by attempting to trigger the password modification URI handler from a different origin and confirming that the request is blocked.
Update RustDesk Client to a version later than 1.4.5. This will fix the CSRF vulnerability that allows privilege escalation by setting a permanent password without verification or user confirmation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30793 is a Cross-Site Request Forgery vulnerability affecting RustDesk Client versions 0.0 through 1.4.5, allowing attackers to potentially escalate privileges.
If you are using RustDesk Client versions 0.0 to 1.4.5, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.
The recommended fix is to upgrade to a patched version of RustDesk Client. Monitor the vendor's official channels for updates. Implement CSP headers as a temporary workaround.
As of now, there is no indication of active exploitation campaigns targeting CVE-2026-30793, but vigilance is still advised.
Refer to the official RustDesk Client website and security advisories for the latest information and updates regarding CVE-2026-30793.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pubspec.lock file and we'll tell you instantly if you're affected.