CVE-2026-30784 is a vulnerability classified under CWE-862 (Missing Authorization) and CWE-306 (Missing Authentication for Critical Function) affecting the RustDesk Server software, specifically the rendezvous server (hbbs) and relay server (hbbr) components. The flaw resides in key program files such as src/rendezvous_server.rs and src/relay_server.rs, impacting functions like handle_punch_hole_request(), the RegisterPeer handler, and relay forwarding mechanisms. These functions lack proper authorization and authentication checks, allowing an unauthenticated attacker to perform privileged actions on the server. This can lead to privilege abuse, where unauthorized users can register peers, manipulate relay forwarding, or exploit punch hole requests to bypass intended access controls. The vulnerability affects all server platforms running RustDesk Server versions through 1.7.5 and 1.1.15. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), no confidentiality impact (VC:N), high integrity impact (VI:H), low availability impact (VA:L), no scope change (SC:N), no impact on security requirements (SI:N), and no security attribute changes (SA:N). Despite no known exploits in the wild, the high CVSS score of 8.8 reflects the critical nature of missing authorization and authentication in remote access infrastructure, which can be exploited remotely without credentials or user interaction.

The vulnerability allows attackers to bypass critical authorization and authentication controls in RustDesk Server, enabling unauthorized privilege escalation and manipulation of remote access sessions. This can lead to unauthorized access to internal networks, interception or redirection of remote desktop connections, and potential lateral movement within affected organizations. The integrity of remote access sessions can be compromised, allowing attackers to inject or alter data, disrupt relay forwarding, or register malicious peers. The availability impact is low but could increase if attackers disrupt relay services. Organizations relying on RustDesk Server for remote desktop or relay services, especially in sensitive environments such as enterprise IT, government, or critical infrastructure, face significant risks of data breaches, espionage, or operational disruption. The lack of authentication and authorization requirements lowers the barrier for exploitation, increasing the likelihood of attacks if the server is exposed to untrusted networks.

1. Immediately restrict network exposure of RustDesk Server components (hbbs and hbbr) to trusted internal networks or VPNs to reduce attack surface. 2. Monitor server logs for unusual or unauthorized peer registration attempts and relay forwarding activities that could indicate exploitation attempts. 3. Implement network-level access controls such as firewall rules and IP whitelisting to limit connections to known clients and administrators. 4. Apply vendor patches or updates as soon as they become available to address the missing authorization and authentication checks. 5. If patches are not yet available, consider deploying application-layer proxies or authentication gateways to enforce access controls externally. 6. Conduct thorough security reviews and penetration testing of remote access infrastructure to detect similar authorization weaknesses. 7. Educate administrators on the risks of exposing rendezvous and relay servers to public networks without adequate protections. 8. Maintain up-to-date incident response plans to quickly contain and remediate any exploitation attempts.