汇总 rustdesk 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
历史漏洞主要涉及 CSRF与路径处理缺陷 等问题,部分漏洞可能导致 文件覆盖,并影响 软件部署与生产负载 相关场景。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2026-30798 | Insufficient Verification of Data Authenticity, Improper Handling of Exceptional Conditions vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop, strategy processing modules) allows Protocol Manipulation. This vulnerability is associated with program files src/hbbs_http/sync.Rs and program routines stop-service handler in heartbeat loop. This issue affects RustDesk Client: through 1.4.8. | 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe | 8.2 | 0.29% | 2026-03-05 | 2026-06-22 |
| CVE-2026-30797 | Missing Authorization vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, config import modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files flutter/lib/common.Dart and program routines importConfig() via URI handler. This issue affects RustDesk Client: through 1.4.5. | 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe | 9.3 | 0.46% | 2026-03-05 | 2026-06-17 |
| CVE-2026-30796 | Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Address book sync, Heartbeat sync loop modules) allows Sniffing Attacks. The client places the preset address-book password verbatim into the heartbeat sync JSON body (src/hbbs_http/sync.rs). Over an intact HTTPS session it is not exposed in transit, but it is a reusable shared secret rather than a zero-kno | 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe | 6.9 | 0.17% | 2026-03-05 | 2026-06-22 |
| CVE-2026-30795 | Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop modules) allows Sniffing Attacks. This vulnerability is associated with program files src/hbbs_http/sync.Rs and program routines Heartbeat JSON payload construction (preset-address-book-password). This issue affects RustDesk Client: through 1.4.5. | 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe | 8.7 | 0.27% | 2026-03-05 | 2026-06-17 |
| CVE-2026-30793 | Cross-Site Request Forgery (CSRF) vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, FFI bridge modules) allows Privilege Escalation. This vulnerability is associated with program files flutter/lib/common.Dart, src/flutter_ffi.Rs and program routines URI handler for rustdesk://password/, bind.MainSetPermanentPassword(). This issue affects RustDesk Client: through 1.4.5. | 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe | 9.3 | 0.31% | 2026-03-05 | 2026-06-17 |
| CVE-2026-30792 | A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files src/hbbs_http/sync.Rs, hbb_common/src/config.Rs and program routines Strategy merge loop in sync.Rs, Config::set_options(). This issue affects RustDesk Client: through 1.4.8. | 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe | 8.3 | 0.27% | 2026-03-05 | 2026-06-22 |
| CVE-2026-30789 | Use of Password Hash With Insufficient Computational Effort, Improper Restriction of Excessive Authentication Attempts vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Password Brute Forcing. The authentication proof is SHA256(SHA256(password + salt) + challenge), where both the salt and the challenge are generated entirely by the server with no client-side nonce, and the hash uses no slow | 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe | 5.7 | 0.42% | 2026-03-05 | 2026-06-22 |
| CVE-2026-30785 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk, hbb_common on Windows, MacOS, Linux (Password security module, config encryption, machine UID modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program files hbb_common/src/password_security.Rs, hbb_common/src/config.Rs, hbb_common/src/lib.Rs (get_uuid | 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe | 8.2 | 0.08% | 2026-03-05 | 2026-06-17 |
| CVE-2026-30783 | A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_mediator.Rs, src/hbbs_http/sync.Rs and program routines API sync loop, api-server config handling. This issue affects RustDesk Client: through 1.4.8. | 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe | 4.8 | 0.38% | 2026-03-05 | 2026-06-22 |
| CVE-2026-3598 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Config string generation, web console export modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program routines Config export/generation routines. This issue affects RustDesk Server Pro: through 1.7.5. | 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe | 8.7 | 0.23% | 2026-03-05 | 2026-06-17 |
| CVE-2026-30791 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Config import, URI scheme handler, CLI --config modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program files flutter/lib/common.Dart, hbb_common/src/config.Rs and program routines parseRustdeskUri(), importConfig(). This issue affects RustDesk Client: through 1.4.5. | 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe | 8.7 | 0.24% | 2026-03-05 | 2026-06-17 |
| CVE-2024-25140 | A default installation of RustDesk 1.2.3 on Windows places a WDKTestCert certificate under Trusted Root Certification Authorities with Enhanced Key Usage of Code Signing (1.3.6.1.5.5.7.3.3), valid from 2023 until 2033. This is potentially unwanted, e.g., because there is no public documentation of security measures for the private key, and arbitrary software could be signed if the private key were to be compromised. NOTE: the vendor's position is "we do not have EV cert, so we use test cert as a | [email protected] | 9.8 | 0.51% | 2024-02-06 | 2026-06-17 |