CVE-2026-30785

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk, hbb_common on Windows, MacOS, Linux (Password security module, config encryption, machine UID modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program files hbb_common/src/password_security.Rs, hbb_common/src/config.Rs, hbb_common/src/lib.Rs (get_uuid), machine-uid/src/lib.Rs and program routines symmetric_crypt(), encrypt_str_or_original(), decrypt_str_or_original(), get_uuid(), get_machine_id(). This issue affects RustDesk Client: through 1.4.5.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub	Exploit Third Party Advisory
https://github.com/rustdesk/rustdesk/discussions/4979	Issue Tracking
https://github.com/rustdesk/rustdesk/discussions/9229	Issue Tracking
https://www.vulsec.org/	Not Applicable

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:-:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

History

No history.

Information

Published : 2026-03-05 16:16

Updated : 2026-03-25 15:47

NVD link : CVE-2026-30785

Mitre link : CVE-2026-30785

CVE.ORG link : CVE-2026-30785

JSON object : View

Products Affected

microsoft

windows

linux

linux_kernel

rustdesk

rustdesk

apple

macos

CWE

CWE-257

Storing Passwords in a Recoverable Format

CWE-323

Reusing a Nonce, Key Pair in Encryption

CWE-916

Use of Password Hash With Insufficient Computational Effort

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

{"id": "CVE-2026-30785", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-05T16:16:19.270", "references": [{"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub", "tags": ["Exploit", "Third Party Advisory"], "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe"}, {"url": "https://github.com/rustdesk/rustdesk/discussions/4979", "tags": ["Issue Tracking"], "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe"}, {"url": "https://github.com/rustdesk/rustdesk/discussions/9229", "tags": ["Issue Tracking"], "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe"}, {"url": "https://www.vulsec.org/", "tags": ["Not Applicable"], "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe", "description": [{"lang": "en", "value": "CWE-257"}, {"lang": "en", "value": "CWE-323"}, {"lang": "en", "value": "CWE-916"}, {"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk, hbb_common on Windows, MacOS, Linux (Password security module, config encryption, machine UID modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program files hbb_common/src/password_security.Rs, hbb_common/src/config.Rs, hbb_common/src/lib.Rs (get_uuid), machine-uid/src/lib.Rs and program routines symmetric_crypt(), encrypt_str_or_original(), decrypt_str_or_original(), get_uuid(), get_machine_id().\n\nThis issue affects RustDesk Client: through 1.4.5."}, {"lang": "es", "value": "Modificaci\u00f3n Inadecuadamente Controlada de Atributos de Prototipo de Objeto ('Contaminaci\u00f3n de Prototipos'), vulnerabilidad de Uso de Hash de Contrase\u00f1a Con Esfuerzo Computacional Insuficiente en rustdesk-client RustDesk Cliente rustdesk, hbb_common en Windows, MacOS, Linux (M\u00f3dulo de seguridad de contrase\u00f1a, cifrado de configuraci\u00f3n, m\u00f3dulos de UID de m\u00e1quina) permite Recuperar Datos Sensibles Incrustados. Esta vulnerabilidad est\u00e1 asociada con los archivos de programa hbb_common/src/password_security.Rs, hbb_common/src/config.Rs, hbb_common/src/lib.Rs (get_uuid), machine-uid/src/lib.Rs y las rutinas de programa symmetric_crypt(), encrypt_str_or_original(), decrypt_str_or_original(), get_uuid(), get_machine_id().\n\nEste problema afecta a RustDesk Cliente: hasta la 1.4.5."}], "lastModified": "2026-03-25T15:47:08.027", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "70EE9711-C12B-402D-B28E-4CF19EC7BC88", "versionEndIncluding": "1.4.5"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe"}