CVE-2026-2490 is a vulnerability identified in RustDesk Client for Windows version 1.4.1, classified under CWE-59 (Improper Link Resolution Before File Access). The flaw resides in the Transfer File feature, where the application improperly handles symbolic links uploaded by a local attacker. By creating and uploading a symbolic link pointing to arbitrary files, an attacker who already has the ability to execute low-privileged code on the target system can trick the RustDesk client into reading and disclosing sensitive files. This occurs because the client resolves the symbolic link before accessing the file, allowing access to files outside the intended directory scope. The vulnerability enables information disclosure with SYSTEM-level privileges, significantly elevating the attacker's access to sensitive data. Exploitation does not require user interaction but does require local code execution privileges, limiting remote exploitation. The CVSS v3.0 base score is 5.5 (medium severity), reflecting the moderate complexity and impact focused on confidentiality. No patches or exploits are currently publicly available, but the vulnerability has been assigned and published by ZDI (ZDI-CAN-27909).

The primary impact of CVE-2026-2490 is unauthorized disclosure of sensitive information on affected systems running RustDesk Client for Windows 1.4.1. Since the attacker can read arbitrary files with SYSTEM privileges, this could lead to exposure of critical system files, credentials, configuration data, or other confidential information. Such data leakage could facilitate further attacks, including privilege escalation or lateral movement within an organization’s network. The vulnerability does not affect data integrity or system availability directly but compromises confidentiality significantly. Organizations relying on RustDesk for remote desktop and file transfer operations may face increased risk of insider threats or local attackers exploiting this flaw to gather intelligence. The requirement for local code execution reduces the risk of remote exploitation but does not eliminate it, especially in environments where endpoint security is weak or where attackers have gained initial footholds.

To mitigate CVE-2026-2490, organizations should: 1) Upgrade RustDesk Client for Windows to a version where this vulnerability is patched once available. 2) Until a patch is released, restrict local user permissions to prevent unauthorized code execution, especially on systems running RustDesk. 3) Implement strict endpoint security controls such as application whitelisting and behavior monitoring to detect and block unauthorized symbolic link creation or suspicious file transfer activities. 4) Audit and monitor file system access logs for unusual access patterns indicative of symbolic link abuse. 5) Educate users about the risks of running untrusted code locally and enforce least privilege principles to minimize the attack surface. 6) Consider network segmentation and limiting RustDesk client usage to trusted environments to reduce exposure. 7) Coordinate with RustDesk vendor for timely updates and advisories.