CVE-2026-30784
Published: 05 March 2026
Summary
CVE-2026-30784 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Rustdesk Rustdesk Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly mitigating the missing authorization checks in critical functions like handle_punch_hole_request and RegisterPeer handlers.
Requires identification and authentication for non-organizational users or processes, addressing the missing authentication vulnerability allowing unauthenticated privilege abuse in hbbs and hbbr modules.
Implements least privilege to restrict access to only necessary functions, preventing privilege abuse even if initial checks are bypassed in relay forwarding and peer registration.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote exploitation of a public-facing RustDesk server (hbbs/hbbr) with missing authentication/authorization, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and…
more
program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding. This issue affects RustDesk Server: through 1.7.5, through 1.1.15.
Deeper analysisAI
CVE-2026-30784, published on 2026-03-05, is a Missing Authorization and Missing Authentication for Critical Function vulnerability in RustDesk Server, affecting rustdesk-server and rustdesk-server-pro through versions 1.7.5 and 1.1.15, respectively. The flaw impacts the hbbs (Rendezvous server) and hbbr (relay server) modules across all server platforms, enabling Privilege Abuse. It stems from inadequate checks in program files src/rendezvous_server.rs and src/relay_server.rs, specifically in routines like handle_punch_hole_request(), the RegisterPeer handler, and relay forwarding. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs 306 and 862.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation allows privilege abuse by bypassing authentication and authorization for critical functions, resulting in high confidentiality, integrity, and availability impacts on the affected server components.
Mitigation details are outlined in the following advisories and documentation: https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub, https://rustdesk.com/docs/en/self-host/, and https://www.vulsec.org/.
Details
- CWE(s)