Description
Use of Password Hash With Insufficient Computational Effort, Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Server Pro /api login over the HTTP management channel) allows Interception (aka Sniffing) followed by offline Password Brute Forcing.

The controlled-host peer authentication channel is NOT affected: Client::secure_connection verifies the HBBS-signed host public key and negotiates an XSalsa20-Poly1305 secretbox session before the login proof is sent, so passive capture and relay man-in-the-middle do not expose it (capture-replay / CWE-294 withdrawn). On the Server Pro /api login path the proof is protected by TLS alone, is exposed under the automatic invalid-certificate downgrade (CVE-2026-30794), and is recoverable offline because it is a fast double SHA256 over a server-controlled salt and challenge with no slow KDF.

This vulnerability is associated with program files src/client.rs and src/common.rs and program routines handle_hash(), handle_login_from_ui() (login proof construction) and post_request_() (API transport).

This issue affects RustDesk Client: through 1.4.8.
Published: 2026-03-05
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because RustDesk Server’s API login employs a double‑SHA256 hash over a server‑controlled salt and challenge, with the authentication proof transmitted in cleartext over HTTP. An attacker who captures the login traffic can recover the hash and perform offline brute‑force attacks with low computational effort. The peer‑to‑peer authentication channel remains secure due to host‑key verification and XSalsa20‑Poly1305 encryption, but the HTTP login path is exposed unless mitigated by TLS downgrade protection. As a result, attackers can gain unauthorized access to user accounts on the server.

Affected Systems

Affected deployments are RustDesk Server Pro and the open‑source RustDesk Server (OSS); the CVE data does not specify precise affected versions. The client side vulnerability applies to RustDesk Client through version 1.4.8 on all supported operating systems (Windows, macOS, Linux, iOS, Android).

Risk and Exploitability

The CVSS base score of 9.3 signals critical severity, while the EPSS score of less than 1% indicates a low current exploitation probability. The server does not enforce rate limiting and relies on a fast hash, which together increase the feasibility of brute‑force attacks. The vulnerability is not yet listed in CISA’s KEV catalog. Attackers who can obtain the challenge and salt can test password guesses offline with minimal effort, making the risk tangible for any exposed installation.

Generated by OpenCVE AI on June 22, 2026 at 09:50 UTC.

Remediation

Vendor Solution

Fix the automatic invalid-certificate downgrade (CVE-2026-30794); transition to SRP so no crackable proof is transmitted.

Vendor Workaround

Ensure the network path to the API server cannot be intercepted (VPN, direct link); use long random passwords.

OpenCVE Recommended Actions

  • Upgrade to a patched release of RustDesk Server Pro or RustDesk Server OSS that implements SRP authentication and adds server‑side rate limiting.
  • Configure server‑side rate limiting for authentication requests, such as deploying fail2ban or an equivalent mechanism on the OSS version.
  • Enforce strong passwords of at least 16 random characters and enable two‑factor authentication where the client and server support it.

Generated by OpenCVE AI on June 22, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Title RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force RustDesk Login Proof Exposed in Cleartext on the Server Pro /api Channel Under TLS Downgrade
First Time appeared Rustdesk-client
Rustdesk-client rustdesk Client
Weaknesses CWE-319
CPEs cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-client
Rustdesk-client rustdesk Client
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Mon, 22 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification. This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15. Use of Password Hash With Insufficient Computational Effort, Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Server Pro /api login over the HTTP management channel) allows Interception (aka Sniffing) followed by offline Password Brute Forcing. The controlled-host peer authentication channel is NOT affected: Client::secure_connection verifies the HBBS-signed host public key and negotiates an XSalsa20-Poly1305 secretbox session before the login proof is sent, so passive capture and relay man-in-the-middle do not expose it (capture-replay / CWE-294 withdrawn). On the Server Pro /api login path the proof is protected by TLS alone, is exposed under the automatic invalid-certificate downgrade (CVE-2026-30794), and is recoverable offline because it is a fast double SHA256 over a server-controlled salt and challenge with no slow KDF. This vulnerability is associated with program files src/client.rs and src/common.rs and program routines handle_hash(), handle_login_from_ui() (login proof construction) and post_request_() (API transport). This issue affects RustDesk Client: through 1.4.8.

Wed, 25 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk Server
CPEs cpe:2.3:a:rustdesk:rustdesk_server:*:*:*:*:oss:*:*:*
cpe:2.3:a:rustdesk:rustdesk_server:*:*:*:*:pro:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk Server
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Rustdesk-server
Rustdesk-server rustdesk Server
Rustdesk-server rustdesk Server Pro
Vendors & Products Rustdesk-server
Rustdesk-server rustdesk Server
Rustdesk-server rustdesk Server Pro

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification. This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.
Title RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force
Weaknesses CWE-307
CWE-916
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Apple Macos
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk Server
Rustdesk-client Rustdesk Client
Rustdesk-server Rustdesk Server Rustdesk Server Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-06-22T08:23:07.377Z

Reserved: 2026-03-05T14:13:37.202Z

Link: CVE-2026-30790

cve-icon Vulnrichment

Updated: 2026-03-05T16:30:43.098Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:19.703

Modified: 2026-06-17T10:32:55.280

Link: CVE-2026-30790

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T10:00:11Z

Weaknesses
  • CWE-307

    Improper Restriction of Excessive Authentication Attempts

  • CWE-319

    Cleartext Transmission of Sensitive Information

  • CWE-916

    Use of Password Hash With Insufficient Computational Effort