FKIE_CVE-2026-30789

Vulnerability from fkie_nvd - Published: 2026-03-05 16:16 - Updated: 2026-06-22 10:16
Severity
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Use of Password Hash With Insufficient Computational Effort, Improper Restriction of Excessive Authentication Attempts vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Password Brute Forcing. The authentication proof is SHA256(SHA256(password + salt) + challenge), where both the salt and the challenge are generated entirely by the server with no client-side nonce, and the hash uses no slow key-derivation function. A rogue or on-path API/relay server (see CVE-2026-30794 / CVE-2026-30797) can issue a chosen salt and challenge, capture the resulting proof, and recover the password offline. The capture-replay claim (CWE-294) is withdrawn: the challenge is regenerated per connection (challenge = Config::get_auto_password(6)), so a captured proof is not replayable against the legitimate server. The 1.4.7 OTP brute-force limiter and the existing LOGIN_FAILURES counter constrain only ONLINE attempts and do not address offline recovery. This vulnerability is associated with program files src/client.rs and program routines handle_hash(), handle_login_from_ui() (login proof construction). This issue affects RustDesk Client: through 1.4.8.
References
2fdefc65-d750-4b8d-96ee-6e2c0c42dbfehttps://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pubExploit, Third Party Advisory
2fdefc65-d750-4b8d-96ee-6e2c0c42dbfehttps://rustdesk.com/docs/en/client/Product
2fdefc65-d750-4b8d-96ee-6e2c0c42dbfehttps://www.vulsec.org/Not Applicable
Impacted products
Vendor Product Version
rustdesk rustdesk *
apple iphone_os -
apple macos -
google android -
linux linux_kernel -
microsoft windows -
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "collectionURL": "https://github.com/rustdesk/rustdesk/releases",
          "defaultStatus": "affected",
          "modules": [
            "Client login",
            "peer authentication"
          ],
          "packageName": "rustdesk-client",
          "platforms": [
            "Windows",
            "MacOS",
            "Linux",
            "iOS",
            "Android"
          ],
          "product": "RustDesk Client",
          "programFiles": [
            "src/client.rs"
          ],
          "programRoutines": [
            {
              "name": "handle_hash()"
            },
            {
              "name": "handle_login_from_ui() (login proof construction)"
            }
          ],
          "repo": "https://github.com/rustdesk/rustdesk,https://github.com/rustdesk/hbb_common",
          "vendor": "rustdesk-client",
          "versions": [
            {
              "lessThanOrEqual": "1.4.8",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*",
              "matchCriteriaId": "14986BCF-B589-41F2-913D-2800283B452B",
              "versionEndIncluding": "1.4.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B5415705-33E5-46D5-8E4D-9EBADC8C5705",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Use of Password Hash With Insufficient Computational Effort, Improper Restriction of Excessive Authentication Attempts vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Password Brute Forcing.\n\nThe authentication proof is SHA256(SHA256(password + salt) + challenge), where both the salt and the challenge are generated entirely by the server with no client-side nonce, and the hash uses no slow key-derivation function. A rogue or on-path API/relay server (see CVE-2026-30794 / CVE-2026-30797) can issue a chosen salt and challenge, capture the resulting proof, and recover the password offline. The capture-replay claim (CWE-294) is withdrawn: the challenge is regenerated per connection (challenge = Config::get_auto_password(6)), so a captured proof is not replayable against the legitimate server. The 1.4.7 OTP brute-force limiter and the existing LOGIN_FAILURES counter constrain only ONLINE attempts and do not address offline recovery.\n\nThis vulnerability is associated with program files src/client.rs and program routines handle_hash(), handle_login_from_ui() (login proof construction).\n\nThis issue affects RustDesk Client: through 1.4.8."
    },
    {
      "lang": "es",
      "value": "Omisi\u00f3n de autenticaci\u00f3n por captura-repetici\u00f3n, vulnerabilidad de uso de hash de contrase\u00f1a con esfuerzo computacional insuficiente en rustdesk-client RustDesk Client rustdesk-client en Windows, MacOS, Linux, iOS, Android (m\u00f3dulos de inicio de sesi\u00f3n del cliente, autenticaci\u00f3n de pares) permite la reutilizaci\u00f3n de IDs de sesi\u00f3n (tambi\u00e9n conocido como repetici\u00f3n de sesi\u00f3n). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa src/client.Rs y las rutinas de programa hash_password(), construcci\u00f3n de prueba de inicio de sesi\u00f3n. Este problema afecta a RustDesk Client: hasta la versi\u00f3n 1.4.5."
    }
  ],
  "id": "CVE-2026-30789",
  "lastModified": "2026-06-22T10:16:19.350",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-30789",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-03-17T14:32:41.844771Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-03-05T16:16:19.560",
  "references": [
    {
      "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
    },
    {
      "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
      "tags": [
        "Product"
      ],
      "url": "https://rustdesk.com/docs/en/client/"
    },
    {
      "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://www.vulsec.org/"
    }
  ],
  "sourceIdentifier": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-307"
        },
        {
          "lang": "en",
          "value": "CWE-916"
        }
      ],
      "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.