CVE-2026-30789 PUBLISHED

RustDesk Client Generates Auth Proof Without Client-Side Nonce, Enabling Replay Attacks

Assigner: VULSec
Reserved: 05.03.2026 Published: 05.03.2026 Updated: 05.03.2026

Authentication Bypass by Capture-replay, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Reusing Session IDs (aka Session Replay). This vulnerability is associated with program files src/client.Rs and program routines hash_password(), login proof construction.

This issue affects RustDesk Client: through 1.4.5.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor rustdesk-client
Product RustDesk Client
Versions Default: affected
  • affected from 0 to 1.4.5 (incl.)

Affected Configurations

Default — any password-based authentication

Exploits

PoC available.

Workarounds

Use long (16+ char) random passwords. Enable 2FA where available.

Solutions

Add client-side nonce to auth proof. Implement SRP.

Credits

  • Erez Kalman finder
  • Erez Kalman reporter

References

Problem Types

  • CWE-294 Authentication Bypass by Capture-replay CWE
  • CWE-916 Use of Password Hash With Insufficient Computational Effort CWE

Impacts

  • CAPEC-60 Reusing Session IDs (aka Session Replay)