RustDesk Session Authorization Bypass via File Transfer

Executive Summary

CVE-2026-58056 is a high-severity vulnerability in RustDesk, a remote desktop application. The issue arises because RustDesk gates incoming control messages based on per-capability flags rather than the session's authorized connection type. Specifically, a file-transfer session does not clear these flags properly.

As a result, a peer with only valid FileTransfer authorization can inject keyboard and mouse inputs and access unguarded screenshot and display-capture handlers. This means the peer can perform actions outside the scope of their granted permissions, effectively bypassing intended authorization controls.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker who has only file transfer permissions to escalate their privileges within a RustDesk session. They can inject keyboard and mouse inputs and access sensitive features like screenshots and display captures, which should be restricted to remote-control sessions.

This means an attacker could potentially spy on your screen, capture sensitive information, and manipulate your system remotely without proper authorization. The vulnerability could lead to unauthorized access, data leakage, and loss of control over your remote desktop session.

Useful 0 Not Useful 0

Detection Guidance

Detection of CVE-2026-58056 involves monitoring for unauthorized injection of keyboard and mouse input or unexpected screenshot and display-capture requests originating from sessions authorized only for file transfer.

Since the vulnerability allows a peer with only FileTransfer authorization to perform actions outside their scope, network or system monitoring should focus on identifying control messages or commands that are inconsistent with the session's authorized connection type.

Specific commands are not provided in the available resources, but general approaches include:

• Inspect RustDesk session logs for control messages (keyboard, mouse, screenshot, display-capture) sent during file transfer sessions.
• Use network traffic analysis tools (e.g., Wireshark, tcpdump) to capture and analyze RustDesk traffic for unauthorized control messages in file transfer sessions.
• Monitor for unusual or unexpected input injection or display capture requests that do not align with the session's authorized capabilities.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps for CVE-2026-58056 include updating RustDesk to a version that contains the fix for this vulnerability.

The fix involves enforcing stricter validation of relay security flags, ensuring signed peer key material is present for secure sessions, and implementing message dispatchers that strictly adhere to connection-type-based authorization.

Until an update is applied, restrict or monitor file transfer sessions closely to prevent unauthorized control message injection.

Additionally, limit access to relay or rendezvous metadata paths to trusted entities to reduce the risk of session downgrade attacks.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in RustDesk allows a peer with only FileTransfer authorization to perform unauthorized actions such as injecting keyboard and mouse input and accessing screenshot and display-capture handlers. This unauthorized access and control could lead to exposure or manipulation of sensitive data during remote sessions.

Such unauthorized access and potential data exposure may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information. The ability to bypass authorization scopes undermines the principle of least privilege and could result in violations of confidentiality and integrity requirements mandated by these regulations.

Useful 0 Not Useful 0