FKIE_CVE-2026-30789

Vulnerability from fkie_nvd - Published: 2026-03-05 16:16 - Updated: 2026-03-05 19:38
Severity ?
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
Authentication Bypass by Capture-replay, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Reusing Session IDs (aka Session Replay). This vulnerability is associated with program files src/client.Rs and program routines hash_password(), login proof construction. This issue affects RustDesk Client: through 1.4.5.
References
2fdefc65-d750-4b8d-96ee-6e2c0c42dbfehttps://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub
2fdefc65-d750-4b8d-96ee-6e2c0c42dbfehttps://rustdesk.com/docs/en/client/
2fdefc65-d750-4b8d-96ee-6e2c0c42dbfehttps://www.vulsec.org/
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Authentication Bypass by Capture-replay, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Reusing Session IDs (aka Session Replay). This vulnerability is associated with program files src/client.Rs and program routines hash_password(), login proof construction.\n\nThis issue affects RustDesk Client: through 1.4.5."
    },
    {
      "lang": "es",
      "value": "Omisi\u00f3n de autenticaci\u00f3n por captura-repetici\u00f3n, vulnerabilidad de uso de hash de contrase\u00f1a con esfuerzo computacional insuficiente en rustdesk-client RustDesk Client rustdesk-client en Windows, MacOS, Linux, iOS, Android (m\u00f3dulos de inicio de sesi\u00f3n del cliente, autenticaci\u00f3n de pares) permite la reutilizaci\u00f3n de IDs de sesi\u00f3n (tambi\u00e9n conocido como repetici\u00f3n de sesi\u00f3n). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa src/client.Rs y las rutinas de programa hash_password(), construcci\u00f3n de prueba de inicio de sesi\u00f3n. Este problema afecta a RustDesk Client: hasta la versi\u00f3n 1.4.5."
    }
  ],
  "id": "CVE-2026-30789",
  "lastModified": "2026-03-05T19:38:33.877",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-05T16:16:19.560",
  "references": [
    {
      "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
      "url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
    },
    {
      "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
      "url": "https://rustdesk.com/docs/en/client/"
    },
    {
      "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
      "url": "https://www.vulsec.org/"
    }
  ],
  "sourceIdentifier": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-294"
        },
        {
          "lang": "en",
          "value": "CWE-916"
        }
      ],
      "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.