RustDesk Client
CVE-2026-30789
MEDIUM
Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable replay (AV:N, PR:N, UI:N) but requires prior capture of a valid proof (AC:H); successful impersonation yields full session confidentiality and integrity, no availability impact.
Primary rating from Vendor (2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe).
CVSS VectorVendor: 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
Authentication Bypass by Capture-replay, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Reusing Session IDs (aka Session Replay). This vulnerability is associated with program files src/client.Rs and program routines hash_password(), login proof construction.
This issue affects RustDesk Client: through 1.4.5.
AnalysisAI
Authentication bypass in RustDesk Client through 1.4.5 across Windows, macOS, Linux, iOS, and Android allows remote attackers to replay captured session IDs and login proofs to impersonate legitimate peers without knowing the original credentials. The flaw stems from insufficient computational effort in the hash_password() routine combined with reusable session identifiers in the login proof construction, enabling capture-replay attacks against the peer authentication module. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.04% (12th percentile).
Technical ContextAI
RustDesk is an open-source remote-desktop platform whose client (src/client.rs) implements peer authentication by exchanging a login proof derived from a password hash. CWE-294 (Authentication Bypass by Capture-replay) applies here because the protocol reuses session IDs rather than binding each authentication exchange to a fresh server-issued nonce, and CWE-916-style weakness (insufficient computational effort in hash_password()) means the derived authentication material is both predictable and replayable. The CPE 'cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*' indicates the webclient edition is in scope, though the description explicitly enumerates all desktop and mobile platforms, suggesting the shared client/protocol code path is universally affected.
RemediationAI
No vendor-released patch identified at time of analysis for versions through 1.4.5; monitor the RustDesk project at https://rustdesk.com/docs/en/client/ and the advisory at https://vuldb.com/?id.349205 for a fixed release and upgrade as soon as one is published. As compensating controls, deploy a self-hosted RustDesk relay/ID server rather than the public infrastructure so session traffic cannot be passively captured by third parties, restrict the RustDesk signaling and relay ports (default 21115-21119) to trusted source IPs via firewall rules, enforce per-connection one-time access codes instead of static permanent passwords (reducing the value of any captured proof), and require TLS-terminating reverse proxies in front of the relay to limit raw protocol exposure - the trade-off is operational overhead and the loss of frictionless ad-hoc remote support that public-relay one-click access provides.
A default installation of RustDesk 1.2.3 on Windows places a WDKTestCert certificate under Trusted Root Certification Au
Remote denial-of-service in RustDesk Client through 1.4.5 allows network-positioned attackers to disrupt the remote-acce
Authorization scope bypass in RustDesk lets a peer holding only a FileTransfer authorization inject keyboard and mouse i
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remot
Configuration tampering in RustDesk Client through 1.4.5 allows a network-positioned attacker to manipulate Application
RustDesk Client through version 1.4.5 uses a broken cryptographic algorithm that allows attackers to retrieve sensitive
RustDesk Server Pro through version 1.7.5 transmits sensitive address book credentials in cleartext over the network hea
Privilege escalation in RustDesk Client through version 1.4.5 on Windows, macOS, Linux, iOS, and Android allows unauthen
Same weakness CWE-294 – Authentication Bypass by Capture-replay
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today