RustDesk before 1.4.9 does not enforce a session's authorized connection scope on the server side, so a peer granted a limited session type (FileTransfer, PortForward, ViewCamera, or Terminal) can send control messages and login options reserved for a full Remote session. An authenticated remote peer can exploit this missing scope check to act outside its granted scope, injecting out-of-scope control messages to observe and control the host beyond the permissions it was given.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Fri, 10 Jul 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | RustDesk before 1.4.9 does not enforce a session's authorized connection scope on the server side, so a peer granted a limited session type (FileTransfer, PortForward, ViewCamera, or Terminal) can send control messages and login options reserved for a full Remote session. An authenticated remote peer can exploit this missing scope check to act outside its granted scope, injecting out-of-scope control messages to observe and control the host beyond the permissions it was given. | |
| Title | RustDesk before 1.4.9 Missing Session Scope Enforcement Allows Out-of-Scope Control Message Injection | |
| First Time appeared |
Rustdesk
Rustdesk rustdesk |
|
| Weaknesses | CWE-862 | |
| CPEs | cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Rustdesk
Rustdesk rustdesk |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-10T21:06:33.323Z
Reserved: 2026-06-25T18:48:00.282Z
Link: CVE-2026-57850
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses