CVE-2026-58056

Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
28/06/2026
Last modified:
29/06/2026

Description

RustDesk gates incoming control messages on per-capability flags rather than on the session's authorized connection type, and a file-transfer session does not clear those flags. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input and reach the unguarded screenshot and display-capture handlers, acting outside its granted scope.