CVE-2026-30793 Overview
A critical Cross-Site Request Forgery (CSRF) vulnerability has been identified in RustDesk Client affecting versions through 1.4.5. This security flaw exists in the Flutter URI scheme handler and FFI bridge modules, allowing attackers to exploit improper authorization controls (CWE-285) to achieve privilege escalation. The vulnerability specifically impacts the rustdesk://password/ URI handler and the bind.MainSetPermanentPassword() routine, enabling unauthorized modification of permanent passwords through crafted requests.
RustDesk is a popular open-source remote desktop application used across enterprise and personal environments. The vulnerability's network-based attack vector, combined with minimal user interaction requirements, makes it particularly dangerous for organizations using RustDesk for remote access and support operations.
Critical Impact
Attackers can leverage this CSRF vulnerability to escalate privileges by manipulating the permanent password configuration through malicious URI requests, potentially gaining unauthorized remote access to affected systems.
Affected Products
- RustDesk Client through version 1.4.5 on Windows
- RustDesk Client through version 1.4.5 on MacOS
- RustDesk Client through version 1.4.5 on Linux
- RustDesk Client through version 1.4.5 on iOS
- RustDesk Client through version 1.4.5 on Android
Discovery Timeline
- March 5, 2026 - CVE-2026-30793 published to NVD
- March 5, 2026 - Last updated in NVD database
Technical Details for CVE-2026-30793
Vulnerability Analysis
This vulnerability stems from improper authorization controls within RustDesk Client's URI scheme handling mechanism. The affected components include flutter/lib/common.Dart and src/flutter_ffi.Rs, which process incoming URI requests for the rustdesk://password/ scheme. When a user is tricked into clicking a malicious link or visiting a compromised webpage, the application fails to properly validate the origin and authenticity of password modification requests.
The flaw allows an attacker to forge requests that invoke the bind.MainSetPermanentPassword() function, effectively bypassing the intended authorization workflow. Since RustDesk utilizes Flutter with an FFI (Foreign Function Interface) bridge to Rust backend code, the attack surface spans both the Dart-based UI layer and the native Rust implementation.
Root Cause
The root cause is classified as CWE-285 (Improper Authorization). The URI scheme handler in RustDesk Client does not implement sufficient validation to ensure that password modification requests originate from legitimate, authenticated sources. The application's trust model for URI-based commands lacks proper CSRF protections, allowing external actors to trigger privileged operations through user interaction with malicious content.
The vulnerability exists because:
- The rustdesk://password/ URI handler processes requests without verifying request origin
- No anti-CSRF tokens or nonces are validated before executing password changes
- The FFI bridge passes commands directly to privileged functions without additional authorization checks
Attack Vector
The attack exploits the network-based URI scheme handler, requiring minimal user interaction (such as clicking a link). An attacker can craft a malicious webpage or email containing a specially constructed rustdesk:// URI that, when activated by the victim, triggers the vulnerable password modification routine.
The attack flow involves:
- Attacker creates a malicious URI targeting rustdesk://password/ with crafted parameters
- Victim clicks the link or visits a page that automatically triggers the URI
- RustDesk Client processes the URI through the Flutter handler in common.Dart
- The FFI bridge in flutter_ffi.Rs passes the command to bind.MainSetPermanentPassword()
- The permanent password is modified without proper authorization verification
- Attacker gains unauthorized access using the new credentials
Since no verified code examples are available, readers should consult the Google Document Resource and the GitHub RustDesk Project for additional technical details on the vulnerability mechanism.
Detection Methods for CVE-2026-30793
Indicators of Compromise
- Unexpected changes to RustDesk permanent password configurations
- Log entries showing bind.MainSetPermanentPassword() invocations without corresponding legitimate user actions
- Unusual incoming remote connections using credentials not set by authorized administrators
- Browser history or network logs showing access to suspicious rustdesk:// URI links
Detection Strategies
- Monitor RustDesk configuration files for unauthorized password modifications
- Implement endpoint detection rules to alert on rustdesk://password/ URI scheme invocations from external sources
- Deploy network monitoring to identify suspicious traffic patterns associated with unauthorized RustDesk connections
- Enable detailed logging within RustDesk to capture all password change events with timestamps and source information
Monitoring Recommendations
- Configure SentinelOne agents to monitor process activity associated with RustDesk password configuration changes
- Establish baseline behavior for RustDesk usage and alert on deviations indicating potential exploitation
- Implement browser isolation or URL filtering to prevent access to malicious rustdesk:// URIs from untrusted sources
- Review RustDesk logs regularly for authentication anomalies or unexpected administrative actions
How to Mitigate CVE-2026-30793
Immediate Actions Required
- Upgrade RustDesk Client to a version newer than 1.4.5 that addresses this vulnerability
- Audit all RustDesk permanent password configurations across the organization for unauthorized changes
- Restrict URI scheme handler execution through endpoint protection policies where possible
- Educate users about the risks of clicking unknown links, particularly those invoking desktop applications
Patch Information
Organizations should monitor the GitHub RustDesk Project for security updates and patched releases. Review the VulSec Security Publications and the Google Document Resource for the latest security advisories related to this vulnerability.
Workarounds
- Disable or restrict the rustdesk:// URI scheme handler at the operating system level until a patch is applied
- Implement network-level controls to block outbound RustDesk connections from unauthorized systems
- Use application allowlisting to prevent untrusted processes from invoking RustDesk functionality
- Deploy browser extensions or proxy rules that filter potentially malicious rustdesk:// URIs
# Example: Disable RustDesk URI scheme on Linux (temporary mitigation)
# Remove or modify the .desktop file handling rustdesk:// URIs
sudo rm /usr/share/applications/rustdesk-uri-handler.desktop
# Verify handler is disabled
xdg-mime query default x-scheme-handler/rustdesk
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
