Description
Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Config import, URI scheme handler, CLI --config modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program files flutter/lib/common.Dart, hbb_common/src/config.Rs and program routines parseRustdeskUri(), importConfig().

This issue affects RustDesk Client: through 1.4.5.
Published: 2026-03-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Apply Patch
AI Analysis

Impact

RustDesk Client parses configuration data from URI scheme handlers, CLI options, and web clients. The implementation uses a pseudo‑encryption format without proper cryptographic validation, relying on a weak or broken algorithm. This flaw aligns with CWE‑327 and CWE‑684. An attacker can supply a crafted configuration string that the client decodes without verifying integrity, allowing the attacker to read any sensitive information embedded in the configuration, such as credentials or private keys.

Affected Systems

The vulnerability exists in all RustDesk Client binaries for Windows, macOS, Linux, iOS, Android, and the WebClient that include the custom URI scheme and CLI configuration import modules. It affects versions up to and including 14.5 and is present in the files flutter/lib/common.Dart, hbb_common/src/config.Rs, and the routines parseRustdeskUri() and importConfig().

Risk and Exploitability

The CVSS base score is 8.7, indicating a high impact, but the EPSS score is less than 1%, suggesting that active exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. An attacker would typically need the ability to supply a malicious configuration string—through direct file editing, an external import, or a crafting of a URI by a trusted party. Once supplied, the client will silently decode and expose any embedded secrets. Treating the input as untrusted and limiting distribution channels mitigates the risk until a secure encryption scheme is used.

Generated by OpenCVE AI on April 16, 2026 at 12:23 UTC.

Remediation

Vendor Solution

Implement AES-256-GCM AEAD or equivalent authenticated encryption

Vendor Workaround

Treat config strings as public; restrict distribution to trusted channels only

OpenCVE Recommended Actions

  • Update to the latest RustDesk Client version that implements AES‑256‑GCM authenticated encryption for configuration data, ensuring integrity checks before use.
  • If an immediate upgrade is not possible, restrict the import of configuration strings to trusted, verified channels only and treat all imported data as untrusted; avoid exposing configuration files to untrusted users.
  • Disable or closely monitor the URI scheme handler and CLI import options until a secure implementation is released, preventing unintended injection of malicious config data.
  • Verify that any existing configuration files in use do not contain exposed sensitive data and remove or re‑encrypt them if necessary.

Generated by OpenCVE AI on April 16, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
CPEs cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:-:*:*:*
cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Config import, URI scheme handler, CLI --config modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program files flutter/lib/common.Dart, hbb_common/src/config.Rs and program routines parseRustdeskUri(), importConfig(). This issue affects RustDesk Client: through 1.4.5.
Title RustDesk Client Accepts Pseudo-Encrypted Config Strings Without Cryptographic Validation
First Time appeared Rustdesk-client
Rustdesk-client rustdesk Client
Weaknesses CWE-327
CWE-684
CPEs cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:webclient:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-client
Rustdesk-client rustdesk Client
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Apple Iphone Os Macos
Google Android
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk
Rustdesk-client Rustdesk Client
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-03-06T18:16:16.130Z

Reserved: 2026-03-05T14:13:37.203Z

Link: CVE-2026-30791

cve-icon Vulnrichment

Updated: 2026-03-06T18:16:09.440Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T15:16:14.717

Modified: 2026-03-18T19:25:01.167

Link: CVE-2026-30791

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:30:06Z

Weaknesses