RustDesk before 1.4.9 does not enforce a session's authorized connection scope on the server side, so a peer granted a limited session type (FileTransfer, PortForward, ViewCamera, or Terminal) can send control messages and login options reserved for a full Remote session. An authenticated remote peer can exploit this missing scope check to act outside its granted scope, injecting out-of-scope control messages to observe and control the host beyond the permissions it was given.
Metrics
Affected Vendors & Products
References
History
Fri, 10 Jul 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | RustDesk before 1.4.9 does not enforce a session's authorized connection scope on the server side, so a peer granted a limited session type (FileTransfer, PortForward, ViewCamera, or Terminal) can send control messages and login options reserved for a full Remote session. An authenticated remote peer can exploit this missing scope check to act outside its granted scope, injecting out-of-scope control messages to observe and control the host beyond the permissions it was given. | |
| Title | RustDesk before 1.4.9 Missing Session Scope Enforcement Allows Out-of-Scope Control Message Injection | |
| First Time appeared |
Rustdesk
Rustdesk rustdesk |
|
| Weaknesses | CWE-862 | |
| CPEs | cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Rustdesk
Rustdesk rustdesk |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-10T21:06:33.323Z
Reserved: 2026-06-25T18:48:00.282Z
Link: CVE-2026-57850
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T21:45:16Z