CVE-2026-30784

CriticalPublic PoC

Published: 05 March 2026

Published

05 March 2026

Modified

25 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0039 60.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and…

program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding. This issue affects RustDesk Server: through 1.7.5, through 1.1.15.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly mitigating the missing authorization checks in critical functions like handle_punch_hole_request and RegisterPeer handlers.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires identification and authentication for non-organizational users or processes, addressing the missing authentication vulnerability allowing unauthenticated privilege abuse in hbbs and hbbr modules.

AC-6 Least Privilege good match

prevent

Implements least privilege to restrict access to only necessary functions, preventing privilege abuse even if initial checks are bypassed in relay forwarding and peer registration.

Security SummaryAI

CVE-2026-30784, published on 2026-03-05, is a Missing Authorization and Missing Authentication for Critical Function vulnerability in RustDesk Server, affecting rustdesk-server and rustdesk-server-pro through versions 1.7.5 and 1.1.15, respectively. The flaw impacts the hbbs (Rendezvous server) and hbbr (relay server) modules across all server platforms, enabling Privilege Abuse. It stems from inadequate checks in program files src/rendezvous_server.rs and src/relay_server.rs, specifically in routines like handle_punch_hole_request(), the RegisterPeer handler, and relay forwarding. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs 306 and 862.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation allows privilege abuse by bypassing authentication and authorization for critical functions, resulting in high confidentiality, integrity, and availability impacts on the affected server components.

Mitigation details are outlined in the following advisories and documentation: https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub, https://rustdesk.com/docs/en/self-host/, and https://www.vulsec.org/.

Details

CWE(s): CWE-306 CWE-862

Affected Products

rustdesk

rustdesk server

≤ 1.1.15 · ≤ 1.7.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote exploitation of a public-facing RustDesk server (hbbs/hbbr) with missing authentication/authorization, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub
Exploit, Third Party Advisory · 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe
https://rustdesk.com/docs/en/self-host/
Product, Vendor Advisory · 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe
https://www.vulsec.org/
Not Applicable · 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe