CVE-2026-30784

CRITICAL

RustDesk Server - Privilege Escalation

Title source: llm

Description

Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding. This issue affects RustDesk Server: through 1.7.5, through 1.1.15.

References (3)

[Various Sources] https://rustdesk.com/docs/en/self-host/

[Various Sources] https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub

[Various Sources] https://www.vulsec.org/

Scores

CVSS v3 9.8

EPSS 0.0039

EPSS Percentile 60.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-306 CWE-862

Status published

Products (2)

rustdesk/rustdesk_server < 1.1.15

rustdesk/rustdesk_server < 1.7.5

Published Mar 05, 2026

Tracked Since Mar 05, 2026