Session Permission Bypass in RustDesk Remote Control Application
CVE-2026-58056

7.2HIGH

Key Information:

Vendor

Rustdesk

Status
Vendor
CVE Published:
28 June 2026

What is CVE-2026-58056?

A vulnerability in RustDesk allows attackers to exploit a flaw in the session authorization mechanism. The issue arises when incoming control messages are gated by per-capability flags, which do not adequately account for the authorized connection type of the session. As a result, during a file-transfer session, the authorization flags can remain set, allowing a peer with only FileTransfer capabilities to inject keyboard and mouse inputs. This could lead to unauthorized access to the screenshot and display-capture handlers, effectively enabling actions outside the granted scope, heightening the risk of remote exploitation.

Affected Version(s)

RustDesk 0

References

CVSS V4

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

ashdfrkl
.