CVE-2026-30792— RustDesk Client Blindly Merges Unauthenticated Strategy Payloads, Bypassing Local Security Settings
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-30792
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
RustDesk Client Blindly Merges Unauthenticated Strategy Payloads, Bypassing Local Security Settings
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files src/hbbs_http/sync.Rs, hbb_common/src/config.Rs and program routines Strategy merge loop in sync.Rs, Config::set_options(). This issue affects RustDesk Client: through 1.4.5.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
违背安全设计原则
Source: NVD (National Vulnerability Database)
Vulnerability Title
RustDesk 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
RustDesk是RustDesk个人开发者的一款远程访问和远程控制软件,主要由 Rust 编写,可以远程维护计算机和其他设备。 RustDesk 1.4.5及之前版本存在安全漏洞,该漏洞源于策略同步和HTTP API客户端等模块存在问题,可能导致通过中间人攻击操纵应用API消息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| rustdesk-client | RustDesk Client | 0 ~ 1.4.5 | - |
II. Public POCs for CVE-2026-30792
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-30792
请登录查看更多情报信息。
Same Patch Batch · rustdesk-client · 2026-03-05 · 10 CVEs total
| CVE-2026-30791 | RustDesk Client Accepts Pseudo-Encrypted Config Strings Without Cryptographic Validation | |
| CVE-2026-30789 | RustDesk Client Generates Auth Proof Without Client-Side Nonce, Enabling Replay Attacks | |
| CVE-2026-30794 | RustDesk HTTP Client Silently Accepts Invalid TLS Certificates After Handshake Failure | |
| CVE-2026-30797 | RustDesk rustdesk://config/ URI Silently Re-homes Client to Attacker-Controlled Server | |
| CVE-2026-30798 | RustDesk Client Accepts Unauthenticated stop-service Command via Strategy Payload | |
| CVE-2026-30793 | RustDesk Flutter URI Handler Sets Permanent Password Without Privilege Check or User Confi | |
| CVE-2026-30795 | RustDesk HTTP Client Silently Accepts Invalid TLS Certificates After Handshake Failure | |
| CVE-2026-30785 | RustDesk Encrypts Local Passwords with World-Readable Machine ID and Fixed Zero Nonce (XSa | |
| CVE-2026-30783 | RustDesk Client Can Orphan API Channel to Ignore All Admin Commands and ACL Policies |
IV. Related Vulnerabilities
Same product: RustDesk Client
- CVE-2026-30785
RustDesk Encrypts Local Passwords with World-Readable Machin - CVE-2026-30783
RustDesk Client Can Orphan API Channel to Ignore All Admin C - CVE-2026-30789
RustDesk Client Generates Auth Proof Without Client-Side Non - CVE-2026-30798
RustDesk Client Accepts Unauthenticated stop-service Command - CVE-2026-30797
RustDesk rustdesk://config/ URI Silently Re-homes Client to
Same vendor: rustdesk-client
- CVE-2026-30785
RustDesk Encrypts Local Passwords with World-Readable Machin - CVE-2026-30783
RustDesk Client Can Orphan API Channel to Ignore All Admin C - CVE-2026-30789
RustDesk Client Generates Auth Proof Without Client-Side Non - CVE-2026-30798
RustDesk Client Accepts Unauthenticated stop-service Command - CVE-2026-30797
RustDesk rustdesk://config/ URI Silently Re-homes Client to
Same weakness: CWE-657
- CVE-2026-39888
PraisonAIAgents has a sandbox escape via exception frame tra - CVE-2025-54255
Acrobat Reader | Violation of Secure Design Principles (CWE- - CVE-2024-57957
Huawei HarmonyOS 安全漏洞 - CVE-2023-29320
ZDI-CAN-20712: Adobe Acrobat Blacklist Bypass Design flaw - CVE-2022-30683
AEM Violation of Secure Design Principles Security feature b
V. Comments for CVE-2026-30792
No comments yet