๐Ÿ” CVE Alert

CVE-2026-57850

HIGH 8.3

RustDesk before 1.4.9 Missing Session Scope Enforcement Allows Out-of-Scope Control Message Injection

CVSS Score
8.3
EPSS Score
0.0%
EPSS Percentile
0th

RustDesk before 1.4.9 does not enforce a session's authorized connection scope on the server side, so a peer granted a limited session type (FileTransfer, PortForward, ViewCamera, or Terminal) can send control messages and login options reserved for a full Remote session. An authenticated remote peer can exploit this missing scope check to act outside its granted scope, injecting out-of-scope control messages to observe and control the host beyond the permissions it was given.

CWE CWE-862
Vendor rustdesk
Product rustdesk
Published Jul 10, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for rustdesk rustdesk

Be the first to know when new high vulnerabilities affecting rustdesk rustdesk are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Affected Versions

RustDesk / RustDesk
0 < 1.4.9

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/rustdesk/rustdesk/pull/15469 github.com: https://github.com/rustdesk/rustdesk/commit/493b14ba78abc3dfb33f109c7f93c1c95a1dabc4 github.com: https://github.com/rustdesk/rustdesk/releases/tag/1.4.9 github.com: https://github.com/rustdesk/rustdesk

Credits

๐Ÿ” sn0x-sharma