CVE-2026-2490 is a vulnerability identified in RustDesk Client for Windows (version 1.4.1) related to improper link resolution before file access, categorized under CWE-59 ('Link Following'). The flaw exists in the Transfer File feature, where the application fails to properly validate symbolic links uploaded by a local attacker. By crafting and uploading a symbolic link, an attacker who already has the ability to execute low-privileged code on the target system can trick RustDesk into reading arbitrary files on the system. This leads to disclosure of sensitive information with SYSTEM-level privileges, significantly elevating the impact of the initial low-privileged code execution. The vulnerability does not require user interaction and has a CVSS v3 base score of 5.5, reflecting medium severity. The attack vector is local (AV:L), with low attack complexity (AC:L), requiring privileges (PR:L), and no user interaction (UI:N). The vulnerability affects confidentiality (C:H) but not integrity or availability. No patches or known exploits have been reported at the time of publication. This vulnerability was assigned by the Zero Day Initiative (ZDI) and publicly disclosed on February 20, 2026.

The primary impact of CVE-2026-2490 is unauthorized disclosure of sensitive information on affected systems running RustDesk Client for Windows 1.4.1. Since the vulnerability allows reading arbitrary files with SYSTEM privileges, attackers can access highly sensitive data including system configuration, credentials, or other confidential files. This can facilitate further attacks such as privilege escalation, lateral movement, or data exfiltration. Although exploitation requires prior local code execution, the elevation of information access to SYSTEM context significantly increases the risk. Organizations relying on RustDesk for remote desktop or file transfer services may face data breaches, compliance violations, and operational risks if this vulnerability is exploited. The lack of known exploits in the wild currently reduces immediate threat but does not eliminate future risk, especially in environments where local code execution is possible.

To mitigate CVE-2026-2490, organizations should first verify if they are running RustDesk Client for Windows version 1.4.1. Since no official patches are currently available, immediate mitigation includes restricting local user permissions to prevent unauthorized code execution, thereby reducing the attack surface. Administrators should monitor and control file system permissions to prevent creation or manipulation of symbolic links by untrusted users. Employ application whitelisting and endpoint protection solutions to detect and block suspicious local activities related to symbolic link creation or exploitation attempts. Network segmentation and strict access controls can limit exposure of systems running RustDesk. Additionally, organizations should maintain vigilance for updates or patches from RustDesk and apply them promptly once released. Conducting regular audits of file transfer logs and system events may help detect exploitation attempts early.