CVE-2026-58056
Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
28/06/2026
Last modified:
29/06/2026
Description
RustDesk gates incoming control messages on per-capability flags rather than on the session's authorized connection type, and a file-transfer session does not clear those flags. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input and reach the unguarded screenshot and display-capture handlers, acting outside its granted scope.
Impact
Base Score 4.0
7.20
Severity 4.0
HIGH
Base Score 3.x
7.60
Severity 3.x
HIGH



