CVE-2026-30789
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk29th percentile - higher than 29% of all known CVEs
Summary
A vulnerability in the RustDesk client allows for password brute forcing due to insufficient computational effort in hashing and improper restriction of excessive authentication attempts. The authentication mechanism based on SHA256 does not use a slow key-derivation function, enabling attackers to recover passwords offline.
Risk Assessment
Organizations may be exposed to unauthorized access to user accounts, potentially leading to data breaches or other serious security incidents. Attackers can exploit this vulnerability to perform brute force attacks on user passwords.
Recommendation
It is recommended to update the RustDesk client to version 1.4.9 or later to patch this vulnerability. Additionally, implementing further security measures such as login attempt restrictions and using stronger hashing algorithms is advisable.
Original NVD description (English source)
Use of Password Hash With Insufficient Computational Effort, Improper Restriction of Excessive Authentication Attempts vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Password Brute Forcing. The authentication proof is SHA256(SHA256(password + salt) + challenge), where both the salt and the challenge are generated entirely by the server with no client-side nonce, and the hash uses no slow key-derivation function. A rogue or on-path API/relay server (see CVE-2026-30794 / CVE-2026-30797) can issue a chosen salt and challenge, capture the resulting proof, and recover the password offline. The capture-replay claim (CWE-294) is withdrawn: the challenge is regenerated per connection (challenge = Config::get_auto_password(6)), so a captured proof is not replayable against the legitimate server. The 1.4.7 OTP brute-force limiter and the existing LOGIN_FAILURES counter constrain only ONLINE attempts and do not address offline recovery. This vulnerability is associated with program files src/client.rs and program routines handle_hash(), handle_login_from_ui() (login proof construction). This issue affects RustDesk Client: through 1.4.8.

