Skip to main content

RustDesk Client CVE-2026-30789

MEDIUM
Authentication Bypass by Capture-replay (CWE-294)
2026-03-05 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe
5.7
CVSS 4.0 · Vendor: 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe
Share

Severity by source

Vendor (2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe) PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.4 HIGH

Network-reachable replay (AV:N, PR:N, UI:N) but requires prior capture of a valid proof (AC:H); successful impersonation yields full session confidentiality and integrity, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe).

CVSS VectorVendor: 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

9
Severity Changed
Jun 22, 2026 - 14:22 NVD
HIGH MEDIUM
CVSS changed
Jun 22, 2026 - 14:22 NVD
8.2 (HIGH) 5.7 (MEDIUM)
Analysis Updated
Jun 22, 2026 - 10:48 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 22, 2026 - 10:48 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 22, 2026 - 10:37 vuln.today
cvss_changed
Severity Changed
Jun 22, 2026 - 10:37 NVD
CRITICAL HIGH
CVSS changed
Jun 22, 2026 - 10:37 NVD
9.3 (CRITICAL) 8.2 (HIGH)
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 16:16 nvd
CRITICAL 9.3

DescriptionCVE.org

Authentication Bypass by Capture-replay, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Reusing Session IDs (aka Session Replay). This vulnerability is associated with program files src/client.Rs and program routines hash_password(), login proof construction.

This issue affects RustDesk Client: through 1.4.5.

AnalysisAI

Authentication bypass in RustDesk Client through 1.4.5 across Windows, macOS, Linux, iOS, and Android allows remote attackers to replay captured session IDs and login proofs to impersonate legitimate peers without knowing the original credentials. The flaw stems from insufficient computational effort in the hash_password() routine combined with reusable session identifiers in the login proof construction, enabling capture-replay attacks against the peer authentication module. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.04% (12th percentile).

Technical ContextAI

RustDesk is an open-source remote-desktop platform whose client (src/client.rs) implements peer authentication by exchanging a login proof derived from a password hash. CWE-294 (Authentication Bypass by Capture-replay) applies here because the protocol reuses session IDs rather than binding each authentication exchange to a fresh server-issued nonce, and CWE-916-style weakness (insufficient computational effort in hash_password()) means the derived authentication material is both predictable and replayable. The CPE 'cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*' indicates the webclient edition is in scope, though the description explicitly enumerates all desktop and mobile platforms, suggesting the shared client/protocol code path is universally affected.

RemediationAI

No vendor-released patch identified at time of analysis for versions through 1.4.5; monitor the RustDesk project at https://rustdesk.com/docs/en/client/ and the advisory at https://vuldb.com/?id.349205 for a fixed release and upgrade as soon as one is published. As compensating controls, deploy a self-hosted RustDesk relay/ID server rather than the public infrastructure so session traffic cannot be passively captured by third parties, restrict the RustDesk signaling and relay ports (default 21115-21119) to trusted source IPs via firewall rules, enforce per-connection one-time access codes instead of static permanent passwords (reducing the value of any captured proof), and require TLS-terminating reverse proxies in front of the relay to limit raw protocol exposure - the trade-off is operational overhead and the loss of frictionless ad-hoc remote support that public-relay one-click access provides.

Share

CVE-2026-30789 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy