CVE-2026-58056 - RustDesk file-transfer session control-scope bypass

CVE-2026-58056 - RustDesk file-transfer session control-scope bypass - High - 2026-06-28

Business risk: A peer granted file-transfer-only access can inject input or capture screen content outside the granted support scope.

Root cause: Incoming control handlers trust stale capability flags instead of checking the active authorization type for each message.

Affected versions

  • Vulnerable: RustDesk builds where FileTransfer authorization leaves control/display capability flags reachable.
  • Fixed / safe target: Upgrade/backport a fix that gates every control, screenshot, and display-capture handler on the session connection type.
  • CVSS: 7.6 (High)

Exact vulnerable code pattern

if session.permissions.keyboard {
    handle_keyboard(input_event);
}
if session.permissions.screenshot {
    send_screenshot();
}

Fixed / mitigated code pattern

if session.connection_type != ConnectionType::Control {
    reject_control_message(message.kind());
    return;
}
if session.permissions.keyboard {
    handle_keyboard(input_event);
}

Step-by-step integration guide

  1. Inventory RustDesk client/server versions and forks.
  2. Upgrade/backport per-message connection-type authorization checks.
  3. Disable file-transfer sessions from untrusted peers until patched.
  4. Add tests that FileTransfer sessions cannot send control/display messages.
  5. Review logs for file-transfer sessions followed by control-like events.

Alternative mitigations

  • Disable unattended access and file transfer for external peers.
  • Require operator confirmation for transition from file transfer to control.
  • Segment relay traffic and log control-message types.

Detection signature

rg -n "ConnectionType::FileTransfer|FileTransfer|keyboard|mouse|screenshot|display_capture|permissions" .

Copy-paste skill block

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-58056: RustDesk file-transfer session control-scope bypass.

Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.

Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.

Boundaries:
- Scope only CVE-2026-58056 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.

Tags and revenue routing

  • Keywords: cve, rustdesk, rust, remote-control, authorization, sellable_to_it, enterprise_blocker, high
  • Affected tech stack: rust
  • Revenue tags: sellable_to_it, enterprise_blocker

References