Six RustDesk Vulnerabilities Score 9.1–9.3 as 226 New CVEs Drop in One Day

NVD published 226 new CVEs on March 5, 2026. Six of them target RustDesk Client versions through 1.4.5, the open-source remote access tool with over 109,000 GitHub stars. Each carries a CVSS score between 9.1 and 9.3. The same day, a CVSS 9.8 flaw surfaced in Nginx UI's web interface, and Microsoft disclosed a CVSS 9.8 remote code execution bug in its Devices Pricing Program cloud service.

RustDesk's problems center on its URI scheme handler. CVE-2026-30793 (CVSS 9.3) is a CSRF (cross-site request forgery) flaw: a crafted rustdesk://password/ link sets a permanent access password on the victim's RustDesk client without any confirmation dialog. The vulnerable code sits in the Flutter URI scheme handler and the FFI bridge — specifically flutter/lib/common.dart and src/flutter_ffi.rs.

The same URI scheme opens a second attack path. CVE-2026-30797 (CVSS 9.3) allows an attacker to redirect the client to a server they control by sending a rustdesk://config/ link that silently replaces the client's configuration. CISA tagged four of the six RustDesk CVEs with "Technical Impact: total" through its ADP Vulnrichment program, meaning full compromise of confidentiality, integrity, and availability.

Four more flaws round out the set:

• CVE-2026-30789 (CVSS 9.3) — authentication bypass via password hash replay. The hash_password() function in src/client.rs uses weak cryptographic hashing, letting an attacker reuse intercepted session hashes.
• CVE-2026-30790 (CVSS 9.3) — no brute-force protection. RustDesk imposes zero limits on authentication attempts.
• CVE-2026-30794 (CVSS 9.1) — improper TLS certificate validation. Under certain conditions, the client calls danger_accept_invalid_certs(true), enabling adversary-in-the-middle (AiTM) attacks.
• CVE-2026-30792 (CVSS 9.1) — API message manipulation through intercepted settings sync, allowing a MitM attacker to modify client strategies and configurations in transit.

All six affect Windows, macOS, Linux, iOS, and Android. No public exploits exist yet. RustDesk had not released a patched version as of March 6, 2026.

RustDesk gained traction as a self-hosted alternative to TeamViewer and AnyDesk, particularly in organizations that avoid sending remote access traffic through third-party servers. That self-hosted model means the URI scheme handler — the entry point for the two worst flaws — runs wherever administrators deploy the client. The NVD records list VULSec as the assigning CNA (CVE Numbering Authority), and the six CVEs were reserved and published on the same day, March 5, suggesting a coordinated audit rather than independent bug discoveries.

Nginx UI's flaw is a different kind of problem. CVE-2026-27944 (CVSS 9.8) affects versions before 2.3.3 of the web interface for managing Nginx servers. The /api/backup endpoint requires no authentication and returns the AES encryption key and initialization vector in the X-Backup-Security HTTP response header alongside the encrypted backup itself. According to TheHackerWire's analysis, the backup archive contains the SQLite database with admin credentials and 2FA secrets, SSL private keys for all managed domains, session tokens, and full Nginx configurations. Exploitation is trivial: one unauthenticated GET request. The fix is in Nginx UI 2.3.3.

Microsoft disclosed CVE-2026-21536 (CVSS 9.8) on the same day. The flaw is a remote code execution vulnerability in the Devices Pricing Program, a cloud service used by Microsoft and channel partners to manage device pricing. MSRC (Microsoft Security Response Center) classified the root cause as CWE-434 — unrestricted upload of a dangerous file type — according to the CVE record on Vulnerability-Lookup. The CVSS vector shows no authentication required, no user interaction, and high impact across all three CIA triad categories. MSRC noted that no customer action is needed because the fix applies server-side.

Two other CVEs from the March 5 batch deserve attention. CVE-2026-3459 (CVSS 8.1) affects the Drag and Drop Multiple File Upload plugin for WordPress Contact Form 7, enabling arbitrary file upload that leads to remote code execution. CVE-2025-13350 (CVSS 7.1) is a privilege escalation flaw specific to Ubuntu Linux 6.8 GA, caused by a legacy AF_UNIX garbage collector that conflicts with a newer upstream mechanism.

RustDesk users should disable the rustdesk:// URI scheme at the OS level until a patched client ships. On Windows, that means deleting the registry key under HKEY_CLASSES_ROOT\rustdesk; on macOS, removing the URL scheme from the app's Info.plist; on Linux, editing the .desktop file. Nginx UI administrators need to update to version 2.3.3 immediately — one HTTP request is all it takes to download the full server backup without credentials.