Description
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Published: 2026-03-05
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in RustDesk Client arises from the way the Server Pro /api login proof is constructed and transmitted. A double‑SHA256 hash over a server‑controlled salt and challenge is sent in cleartext over the HTTP management channel, protected only by TLS. When an invalid server certificate is automatically downgraded to an insecure connection, the hash is exposed. An attacker who captures this traffic can recover the hash and perform offline brute‑force attacks with minimal computational effort, gaining access to user accounts. The peer‑to‑peer authentication channel remains secure because it employs host‑key verification and XSalsa20‑Poly1305 encryption before the login proof is sent.

Affected Systems

Affected deployments are RustDesk Client version 1.4.8 and earlier on all supported operating systems: Windows, macOS, Linux, iOS, and Android.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, while the EPSS score of less than 1% shows a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Attackers can offline brute‑force the reproduced hash with very little effort if they obtain the challenge and salt, so the risk is significant for exposed installations that lack other mitigations.

Generated by OpenCVE AI on June 22, 2026 at 13:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the RustDesk patch that eliminates the automatic invalid‑certificate downgrade (CVE‑2026‑30794) or upgrade to a revision that uses SRP authentication for API logins.
  • Configure the network so that API traffic cannot be intercepted, for example by enforcing a VPN tunnel or a direct, isolated link to the server.
  • Enforce strong, random passwords for user accounts to reduce the feasibility of offline brute‑force attacks.

Generated by OpenCVE AI on June 22, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Title RustDesk Login Proof Exposed in Cleartext on the Server Pro /api Channel Under TLS Downgrade
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Use of Password Hash With Insufficient Computational Effort, Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Server Pro /api login over the HTTP management channel) allows Interception (aka Sniffing) followed by offline Password Brute Forcing. The controlled-host peer authentication channel is NOT affected: Client::secure_connection verifies the HBBS-signed host public key and negotiates an XSalsa20-Poly1305 secretbox session before the login proof is sent, so passive capture and relay man-in-the-middle do not expose it (capture-replay / CWE-294 withdrawn). On the Server Pro /api login path the proof is protected by TLS alone, is exposed under the automatic invalid-certificate downgrade (CVE-2026-30794), and is recoverable offline because it is a fast double SHA256 over a server-controlled salt and challenge with no slow KDF. This vulnerability is associated with program files src/client.rs and src/common.rs and program routines handle_hash(), handle_login_from_ui() (login proof construction) and post_request_() (API transport). This issue affects RustDesk Client: through 1.4.8. This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Weaknesses CWE-319
CPEs cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-client
Rustdesk-client rustdesk Client
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}


Mon, 22 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Title RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force RustDesk Login Proof Exposed in Cleartext on the Server Pro /api Channel Under TLS Downgrade
First Time appeared Rustdesk-client
Rustdesk-client rustdesk Client
Weaknesses CWE-319
CPEs cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-client
Rustdesk-client rustdesk Client
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Mon, 22 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification. This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15. Use of Password Hash With Insufficient Computational Effort, Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Server Pro /api login over the HTTP management channel) allows Interception (aka Sniffing) followed by offline Password Brute Forcing. The controlled-host peer authentication channel is NOT affected: Client::secure_connection verifies the HBBS-signed host public key and negotiates an XSalsa20-Poly1305 secretbox session before the login proof is sent, so passive capture and relay man-in-the-middle do not expose it (capture-replay / CWE-294 withdrawn). On the Server Pro /api login path the proof is protected by TLS alone, is exposed under the automatic invalid-certificate downgrade (CVE-2026-30794), and is recoverable offline because it is a fast double SHA256 over a server-controlled salt and challenge with no slow KDF. This vulnerability is associated with program files src/client.rs and src/common.rs and program routines handle_hash(), handle_login_from_ui() (login proof construction) and post_request_() (API transport). This issue affects RustDesk Client: through 1.4.8.

Wed, 25 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk Server
CPEs cpe:2.3:a:rustdesk:rustdesk_server:*:*:*:*:oss:*:*:*
cpe:2.3:a:rustdesk:rustdesk_server:*:*:*:*:pro:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk Server
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Rustdesk-server
Rustdesk-server rustdesk Server
Rustdesk-server rustdesk Server Pro
Vendors & Products Rustdesk-server
Rustdesk-server rustdesk Server
Rustdesk-server rustdesk Server Pro

Thu, 05 Mar 2026 18:15:00 +0000


Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 05 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification. This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.
Title RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force
Weaknesses CWE-307
CWE-916
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Apple Macos
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk Server
Rustdesk-server Rustdesk Server Rustdesk Server Pro
cve-icon MITRE

Status: REJECTED

Assigner: VULSec

Published:

Updated: 2026-06-22T13:06:15.128Z

Reserved: 2026-03-05T14:13:37.202Z

Link: CVE-2026-30790

cve-icon Vulnrichment

Updated:

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:19.703

Modified: 2026-06-17T10:32:55.280

Link: CVE-2026-30790

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T13:30:16Z

Weaknesses
  • CWE-307

    Improper Restriction of Excessive Authentication Attempts

  • CWE-916

    Use of Password Hash With Insufficient Computational Effort