CVE-2026-30785
Received Received - Intake
Prototype Pollution and Weak Password Hash in RustDesk Client

Publication date: 2026-03-05

Last updated on: 2026-03-25

Assigner: VULSec Labs

Description
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk, hbb_common on Windows, MacOS, Linux (Password security module, config encryption, machine UID modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program files hbb_common/src/password_security.Rs, hbb_common/src/config.Rs, hbb_common/src/lib.Rs (get_uuid), machine-uid/src/lib.Rs and program routines symmetric_crypt(), encrypt_str_or_original(), decrypt_str_or_original(), get_uuid(), get_machine_id(). This issue affects RustDesk Client: through 1.4.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30785
EUVD
EUVD-2026-9833
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rustdesk rustdesk to 1.4.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
CWE-323 Nonces should be used for the present occasion and only once.
CWE-257 The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
CWE-916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves Improperly Controlled Modification of Object Prototype Attributes, also known as 'Prototype Pollution', combined with the use of password hashes that require insufficient computational effort. It affects the RustDesk Client software up to version 1.4.5 on Windows, MacOS, and Linux platforms. The issue lies within several program files related to password security, configuration encryption, and machine unique identifiers. Due to these weaknesses, an attacker could retrieve embedded sensitive data from the affected modules.

Impact Analysis

The vulnerability can lead to unauthorized retrieval of sensitive data such as permanent passwords and machine IDs. Since passwords may be stored or transmitted with insufficient protection, attackers could potentially access or manipulate these credentials. This compromises the security of remote control sessions and system configurations, potentially allowing unauthorized access or control over affected machines.

Additionally, attempts to automate or manage RustDesk installations securely are hindered because encrypted passwords and IDs are tied to machine-specific identifiers, making it difficult to transfer or replicate encrypted credentials across devices.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking how RustDesk stores and handles passwords and computer IDs on your system.'}, {'type': 'paragraph', 'content': "On Linux systems, you can inspect the RustDesk configuration file located at ~/.config/rustdesk/RustDesk.toml to see if the 'enc_id' parameter and passwords are stored encrypted or in plain text."}, {'type': 'paragraph', 'content': 'RustDesk provides command line arguments to interact with passwords and IDs, such as `--password` to set a password and `--get-id` to retrieve the computer ID. However, these commands require a graphical environment to run and will fail in headless terminals.'}, {'type': 'list_item', 'content': 'Check the RustDesk configuration file for unencrypted passwords or IDs: `cat ~/.config/rustdesk/RustDesk.toml`'}, {'type': 'list_item', 'content': 'Attempt to retrieve the computer ID using RustDesk with GUI: `rustdesk --get-id`'}, {'type': 'list_item', 'content': 'Set a password via command line for testing: `rustdesk --password randompassword` (requires GUI)'}, {'type': 'paragraph', 'content': 'Note that no definitive commands or automated detection tools are provided to detect the vulnerability directly, and attempts to run these commands without a graphical interface will result in errors.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, ensure that passwords and computer IDs are stored encrypted rather than in plain text.'}, {'type': 'paragraph', 'content': "Use RustDesk's updated handling of passwords and IDs, which hashes or encrypts these values in the configuration files."}, {'type': 'paragraph', 'content': 'Avoid storing plain text passwords in software distribution directories or configuration files accessible to other users.'}, {'type': 'list_item', 'content': 'Set passwords via the RustDesk command line argument `--password` rather than manually editing configuration files.'}, {'type': 'list_item', 'content': 'Use the `--get-id` command to retrieve the computer ID securely when needed.'}, {'type': 'paragraph', 'content': 'Consider requesting or implementing features that allow setting already encrypted passwords via command line or environment variables to avoid exposure of plain text passwords.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30785. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart