CVE-2026-30790
CRITICAL(9.8)CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVSS 9.8 — Kritisch
EPSS-Score
0%
Exploit-Wahrscheinlichkeit (30 Tage)
CVSS Score
9.8
Technische Schwere
Beschreibung
Use of Password Hash With Insufficient Computational Effort, Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Server Pro /api login over the HTTP management channel) allows Interception (aka Sniffing) followed by offline Password Brute Forcing. The controlled-host peer authentication channel is NOT affected: Client::secure_connection verifies the HBBS-signed host public key and negotiates an XSalsa20-Poly1305 secretbox session before the login proof is sent, so passive capture and relay man-in-the-middle do not expose it (capture-replay / CWE-294 withdrawn). On the Server Pro /api login path the proof is protected by TLS alone, is exposed under the automatic invalid-certificate downgrade (CVE-2026-30794), and is recoverable offline because it is a fast double SHA256 over a server-controlled salt and challenge with no slow KDF. This vulnerability is associated with program files src/client.rs and src/common.rs and program routines handle_hash(), handle_login_from_ui() (login proof construction) and post_request_() (API transport). This issue affects RustDesk Client: through 1.4.8.