CWE-916
Use of Password Hash With Insufficient Computational Effort
The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
CVE-2026-30789 (GCVE-0-2026-30789)
Vulnerability from cvelistv5 – Published: 2026-03-05 15:41 – Updated: 2026-03-17 14:32
VLAI
Title
RustDesk Client Generates Auth Proof Without Client-Side Nonce, Enabling Replay Attacks
Summary
Authentication Bypass by Capture-replay, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Reusing Session IDs (aka Session Replay). This vulnerability is associated with program files src/client.Rs and program routines hash_password(), login proof construction.
This issue affects RustDesk Client: through 1.4.5.
Severity
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://rustdesk.com/docs/en/client/ | technical-descriptionx_--config documentation |
| https://docs.google.com/document/d/e/2PACX-1vSds6… | third-party-advisoryexploit |
| https://www.vulsec.org/ | vdb-entrythird-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rustdesk-client | RustDesk Client |
Affected:
0 , ≤ 1.4.5
(custom)
|
Date Public
2026-03-05 13:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30789",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T14:32:41.844771Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T14:32:45.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/rustdesk/rustdesk/releases",
"defaultStatus": "affected",
"modules": [
"Client login",
"peer authentication"
],
"packageName": "rustdesk-client",
"platforms": [
"Windows",
"MacOS",
"Linux",
"iOS",
"Android"
],
"product": "RustDesk Client",
"programFiles": [
"src/client.rs"
],
"programRoutines": [
{
"name": "hash_password()"
},
{
"name": "login proof construction"
}
],
"repo": "https://github.com/rustdesk/rustdesk,https://github.com/rustdesk/hbb_common",
"vendor": "rustdesk-client",
"versions": [
{
"lessThanOrEqual": "1.4.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Default \u2014 any password-based authentication"
}
],
"value": "Default \u2014 any password-based authentication"
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*",
"versionEndIncluding": "1.4.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*",
"versionEndIncluding": "1.4.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*",
"versionEndIncluding": "1.4.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*",
"versionEndIncluding": "1.4.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*",
"versionEndIncluding": "1.4.5",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erez Kalman"
},
{
"lang": "en",
"type": "reporter",
"value": "Erez Kalman"
}
],
"datePublic": "2026-03-05T13:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass by Capture-replay, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Reusing Session IDs (aka Session Replay).\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003esrc/client.Rs\u003c/tt\u003e and program routines \u003ctt\u003ehash_password()\u003c/tt\u003e, \u003ctt\u003elogin proof construction\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects RustDesk Client: through 1.4.5.\u003c/p\u003e"
}
],
"value": "Authentication Bypass by Capture-replay, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Reusing Session IDs (aka Session Replay). This vulnerability is associated with program files src/client.Rs and program routines hash_password(), login proof construction.\n\nThis issue affects RustDesk Client: through 1.4.5."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PoC available.\u003cbr\u003e"
}
],
"value": "PoC available."
}
],
"impacts": [
{
"capecId": "CAPEC-60",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-60 Reusing Session IDs (aka Session Replay)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-916",
"description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:57:27.727Z",
"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"shortName": "VULSec"
},
"references": [
{
"tags": [
"technical-description",
"x_--config documentation"
],
"url": "https://rustdesk.com/docs/en/client/"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
},
{
"tags": [
"vdb-entry",
"third-party-advisory"
],
"url": "https://www.vulsec.org/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Add client-side nonce to auth proof. Implement SRP."
}
],
"value": "Add client-side nonce to auth proof. Implement SRP."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RustDesk Client Generates Auth Proof Without Client-Side Nonce, Enabling Replay Attacks",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use long (16+ char) random passwords. Enable 2FA where available."
}
],
"value": "Use long (16+ char) random passwords. Enable 2FA where available."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"assignerShortName": "VULSec",
"cveId": "CVE-2026-30789",
"datePublished": "2026-03-05T15:41:51.417Z",
"dateReserved": "2026-03-05T14:13:37.202Z",
"dateUpdated": "2026-03-17T14:32:45.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30790 (GCVE-0-2026-30790)
Vulnerability from cvelistv5 – Published: 2026-03-05 15:49 – Updated: 2026-03-10 18:26
VLAI
Title
RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force
Summary
Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification.
This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.
Severity
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/rustdesk | product |
| https://docs.google.com/document/d/e/2PACX-1vSds6… | third-party-advisoryexploit |
| https://www.vulsec.org/ | vdb-entrythird-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| rustdesk-server-pro | RustDesk Server Pro |
Affected:
0 , ≤ 1.7.5
(custom)
|
|
| rustdesk-server | RustDesk Server (OSS) |
Affected:
0 , ≤ 1.1.15
(custom)
|
Date Public
2026-03-05 13:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30790",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T18:26:28.818818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T18:26:36.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/rustdesk/rustdesk-server-pro/releases",
"defaultStatus": "affected",
"modules": [
"Peer authentication",
"API login"
],
"packageName": "rustdesk-server-pro",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "RustDesk Server Pro",
"programRoutines": [
{
"name": "Salt/challenge generation"
},
{
"name": "SHA256(SHA256(pwd+salt)+challenge) verification"
}
],
"vendor": "rustdesk-server-pro",
"versions": [
{
"changes": [
{
"at": "Server Pro",
"status": "affected"
}
],
"lessThanOrEqual": "1.7.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://github.com/rustdesk/rustdesk-server/releases",
"defaultStatus": "unaffected",
"modules": [
"Peer authentication",
"API login"
],
"packageName": "rustdesk-server",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "RustDesk Server (OSS)",
"programFiles": [
"src/server/connection.rs"
],
"programRoutines": [
{
"name": "Salt/challenge generation"
},
{
"name": "SHA256(SHA256(pwd+salt)+challenge) verification"
}
],
"repo": "https://github.com/rustdesk/rustdesk-server",
"vendor": "rustdesk-server",
"versions": [
{
"changes": [
{
"at": "Server OSS",
"status": "affected"
}
],
"lessThanOrEqual": "1.1.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Default \u2014 any password-based authentication"
}
],
"value": "Default \u2014 any password-based authentication"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erez Kalman"
},
{
"lang": "en",
"type": "reporter",
"value": "Erez Kalman"
}
],
"datePublic": "2026-03-05T13:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003esrc/server/connection.Rs\u003c/tt\u003e and program routines \u003ctt\u003eSalt/challenge generation\u003c/tt\u003e, \u003ctt\u003eSHA256(SHA256(pwd+salt)+challenge) verification\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.\u003c/p\u003e"
}
],
"value": "Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification.\n\nThis issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PoC available.\u003cbr\u003e"
}
],
"value": "PoC available."
}
],
"impacts": [
{
"capecId": "CAPEC-49",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-49 Password Brute Forcing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-916",
"description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:59:25.324Z",
"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"shortName": "VULSec"
},
"references": [
{
"tags": [
"product"
],
"url": "https://github.com/rustdesk"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
},
{
"tags": [
"vdb-entry",
"third-party-advisory"
],
"url": "https://www.vulsec.org/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Implement SRP (Secure Remote Password) for mutual authentication. Add server-side rate limiting."
}
],
"value": "Implement SRP (Secure Remote Password) for mutual authentication. Add server-side rate limiting."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use long (16+ char) random passwords. Enable 2FA where available. Deploy rate-limiting (e.g., fail2ban on OSS 1.1.15+)."
}
],
"value": "Use long (16+ char) random passwords. Enable 2FA where available. Deploy rate-limiting (e.g., fail2ban on OSS 1.1.15+)."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"assignerShortName": "VULSec",
"cveId": "CVE-2026-30790",
"datePublished": "2026-03-05T15:49:15.539Z",
"dateReserved": "2026-03-05T14:13:37.202Z",
"dateUpdated": "2026-03-10T18:26:36.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-51
Phase: Architecture and Design
Description:
- Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use.
- Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead.
- Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs.
Mitigation ID: MIT-25
Phases: Implementation, Architecture and Design
Description:
- When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.
CAPEC-55: Rainbow Table Password Cracking
An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.