CVE-2026-58056 HIGH

CVE-2026-58056: RustDesk - FileTransfer Session Authorization Scope Bypass

Vendor Rustdesk
Product RustDesk
Weakness CWE-863 · Incorrect authorization
Published June 28, 2026
Last update June 29, 2026

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

What the vulnerability does

01Description

RustDesk gates incoming control messages on per-capability flags rather than on the session's authorized connection type, and a file-transfer session does not clear those flags. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input and reach the unguarded screenshot and display-capture handlers, acting outside its granted scope.

Key dates

02Disclosure timeline

June 28, 2026 CVE published
June 29, 2026 Record updated