CVE-2026-57850
Received Received - Intake

RustDesk Session Scope Bypass via Control Message Injection

Vulnerability report for CVE-2026-57850, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

RustDesk before 1.4.9 does not enforce a session's authorized connection scope on the server side, so a peer granted a limited session type (FileTransfer, PortForward, ViewCamera, or Terminal) can send control messages and login options reserved for a full Remote session. An authenticated remote peer can exploit this missing scope check to act outside its granted scope, injecting out-of-scope control messages to observe and control the host beyond the permissions it was given.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rustdesk rustdesk to 1.4.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can allow an attacker with limited session permissions to escalate their control over the host system beyond what was intended. For example, a user granted only file transfer or camera viewing permissions could potentially gain full remote control capabilities.

Such unauthorized control could lead to unauthorized observation, manipulation, or control of the host system, potentially compromising sensitive data, disrupting operations, or enabling further attacks.

Executive Summary

This vulnerability in RustDesk versions before 1.4.9 occurs because the server does not enforce the authorized connection scope for a session. This means that a peer who is granted a limited session type, such as FileTransfer, PortForward, ViewCamera, or Terminal, can send control messages and login options that are meant only for a full Remote session.

As a result, an authenticated remote peer can exploit this missing scope check to act beyond its granted permissions, injecting out-of-scope control messages to observe and control the host in ways that should not be allowed.

Detection Guidance

Detection of this vulnerability involves monitoring for SessionScopeViolation alarms triggered by out-of-scope control messages sent by authenticated peers. The RustDesk server connection layer now includes detailed audit logging for such violations, which can be reviewed to identify unauthorized session activities.

Specifically, audit logs will record attempts to send control messages or login options outside the granted session scope (e.g., a FileTransfer session attempting Remote session controls). Monitoring these logs can help detect exploitation attempts.

While no explicit commands are provided in the resources, administrators should check RustDesk server audit logs for entries labeled as SessionScopeViolation or related permission audit events.

Mitigation Strategies

The primary mitigation step is to upgrade RustDesk to version 1.4.9 or later, which includes fixes enforcing session scope permission checks and auditing to prevent unauthorized control message injection.

This update restricts UI elements and control options to their appropriate session types, triggers alarms on scope violations, and disconnects offending sessions, thereby mitigating the risk of privilege escalation.

Additionally, reviewing and monitoring audit logs for session scope violations can help detect and respond to any exploitation attempts.

Compliance Impact

The vulnerability in RustDesk before version 1.4.9 allows an authenticated remote peer to bypass session scope restrictions, potentially gaining unauthorized control and observation capabilities beyond their granted permissions.

Such unauthorized access and control could lead to violations of data protection and privacy requirements mandated by standards like GDPR and HIPAA, as sensitive information might be exposed or manipulated without proper authorization.

The fix introduced in RustDesk 1.4.9 enforces strict session scope permission checks, auditing, and disconnection on violations, which helps mitigate risks related to unauthorized access and supports compliance with security and privacy regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57850. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart