CVE-2026-30784
HIGH
CVSS 8.8
No EPSS data
Description
Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding.
This issue affects RustDesk Server: through 1.7.5, through 1.1.15.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-30784",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Primary",
"source": "nvd@nist.gov",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 9.8,
"attackVector": "NETWORK",
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"integrityImpact": "HIGH",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "HIGH",
"privilegesRequired": "NONE",
"confidentialityImpact": "HIGH"
},
"impactScore": 5.9,
"exploitabilityScore": 3.9
}
],
"cvssMetricV40": [
{
"type": "Secondary",
"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"cvssData": {
"Safety": "NOT_DEFINED",
"version": "4.0",
"Recovery": "NOT_DEFINED",
"baseScore": 8.8,
"Automatable": "NOT_DEFINED",
"attackVector": "NETWORK",
"baseSeverity": "HIGH",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"exploitMaturity": "NOT_DEFINED",
"providerUrgency": "NOT_DEFINED",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "NONE",
"subIntegrityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"vulnAvailabilityImpact": "LOW",
"availabilityRequirement": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"subConfidentialityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"confidentialityRequirement": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED"
}
}
]
},
"published": "2026-03-05T16:16:19.110",
"references": [
{
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub",
"tags": [
"Exploit",
"Third Party Advisory"
],
"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe"
},
{
"url": "https://rustdesk.com/docs/en/self-host/",
"tags": [
"Product",
"Vendor Advisory"
],
"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe"
},
{
"url": "https://www.vulsec.org/",
"tags": [
"Not Applicable"
],
"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Secondary",
"source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"description": [
{
"lang": "en",
"value": "CWE-306"
},
{
"lang": "en",
"value": "CWE-862"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding.\n\nThis issue affects RustDesk Server: through 1.7.5, through 1.1.15."
},
{
"lang": "es",
"value": "Vulnerabilidad de Autorizaci\u00f3n Faltante, Autenticaci\u00f3n Faltante para Funci\u00f3n Cr\u00edtica en rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro en hbbs/hbbr en todas las plataformas de servidor (m\u00f3dulos de servidor Rendezvous (hbbs), servidor de retransmisi\u00f3n (hbbr)) permite el Abuso de Privilegios. Esta vulnerabilidad est\u00e1 asociada con los archivos de programa src/rendezvous_server.Rs, src/relay_server.Rs y las rutinas de programa handle_punch_hole_request(), el gestor RegisterPeer, el reenv\u00edo de retransmisi\u00f3n.\n\nEste problema afecta a RustDesk Server: hasta 1.7.5, hasta 1.1.15."
}
],
"lastModified": "2026-03-25T16:19:56.530",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rustdesk:rustdesk_server:*:*:*:*:oss:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4EEF792E-C412-4ECD-A2A2-5506601F4404",
"versionEndIncluding": "1.1.15"
},
{
"criteria": "cpe:2.3:a:rustdesk:rustdesk_server:*:*:*:*:pro:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4F6E21F9-385D-4DB4-9CD4-EDB43561D9E5",
"versionEndIncluding": "1.7.5"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe"
}
}