CVE-2026-30793
Published: 05 March 2026
Summary
CVE-2026-30793 is a critical-severity Improper Authorization (CWE-285) vulnerability in Rustdesk Rustdesk. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires protections for session authenticity, directly mitigating the CSRF vulnerability by preventing forged rustdesk://password/ URI requests from impersonating legitimate user actions.
AC-3 enforces approved access authorizations, countering the improper authorization (CWE-285) in MainSetPermanentPassword() that enables privilege escalation.
IA-11 mandates re-authentication for sensitive actions like setting a permanent password, preventing CSRF exploitation without valid credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in URI/FFI handler allows remote unauthenticated attacker to set permanent password (MainSetPermanentPassword), directly enabling privilege escalation with full C/I/A impact.
NVD Description
Cross-Site Request Forgery (CSRF) vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, FFI bridge modules) allows Privilege Escalation. This vulnerability is associated with program files flutter/lib/common.Dart, src/flutter_ffi.Rs and program routines URI handler…
more
for rustdesk://password/, bind.MainSetPermanentPassword(). This issue affects RustDesk Client: through 1.4.5.
Deeper analysisAI
CVE-2026-30793 is a Cross-Site Request Forgery (CSRF) vulnerability in the RustDesk Client (rustdesk-client) on Windows, macOS, Linux, iOS, and Android platforms. The flaw affects the Flutter URI scheme handler and FFI bridge modules, specifically involving program files flutter/lib/common.dart, src/flutter_ffi.rs, and routines such as the URI handler for rustdesk://password/ and bind.MainSetPermanentPassword(). This issue enables privilege escalation and impacts RustDesk Client versions through 1.4.5. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 285 (Improper Authorization) and 352 (CSRF).
A network-based attacker requires no privileges or user interaction to exploit this vulnerability with low attack complexity. Exploitation allows privilege escalation, yielding high impacts on confidentiality, integrity, and availability of the affected system.
Mitigation details are outlined in related advisories and project resources, including the primary publication at https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub, RustDesk repositories at https://github.com/rustdesk/hbb_common and https://github.com/rustdesk/rustdesk, and additional coverage at https://www.vulsec.org/. Security practitioners should consult these for patch availability and remediation steps.
Details
- CWE(s)