Description
Improper Certificate Validation vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (HTTP API client, TLS transport modules) allows Adversary in the Middle (AiTM). This vulnerability is associated with program files src/hbbs_http/http_client.Rs and program routines TLS retry with danger_accept_invalid_certs(true).

This issue affects RustDesk Client: through 1.4.5.
Published: 2026-03-05
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized TLS certificate acceptance enabling man‑in‑the‑middle interception
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from a bug in the RustDesk Client's HTTP API code that causes the HTTP client to silently accept TLS certificates marked as invalid after a handshake failure. This flaw allows a man‑in‑the‑middle attacker to present a forged or expired certificate and have the client trust it, enabling full interception of encrypted traffic and potentially credential theft. The weakness is a classic improper certificate validation error (CWE‑295).

Affected Systems

Affected binaries include any installation of RustDesk Client through version 1.4.5 on Windows, macOS, Linux, iOS, and Android. The issue resides in the HTTP client module and the TLS retry routine that enables the dangerous_accept_invalid_certs option. The clients listed in known CPEs, such as rustdesk-client:rustdesk_client on all major operating systems, are vulnerable.

Risk and Exploitability

The CVSS score of 9.1 marks this as a high‑severity vulnerability. Although the EPSS score is below 1 %, indicating a very low current exploitation probability, the potential impact of a successful Adversary in the Middle remains high. The flaw is not yet included in the CISA KEV catalog, but the absence of a KEV listing does not reduce the risk. Attackers would need to force a TLS handshake failure or redirect connections to their own server, conditions that are achievable with basic network interception tools. Mitigation requires removing the automatic fallback or upgrading to a fixed version.

Generated by OpenCVE AI on April 16, 2026 at 04:44 UTC.

Remediation

Vendor Solution

Remove automatic fallback. Treat TLS handshake failures as fatal.

Vendor Workaround

Ensure network path to API server cannot be intercepted (VPN, direct link)

OpenCVE Recommended Actions

  • Upgrade RustDesk Client to the latest stable release (≥ 1.4.6) to remove the automatic TLS fallback.
  • Apply the vendor‑recommended configuration change to treat TLS handshake failures as fatal.
  • Ensure the network path to the RustDesk API server cannot be intercepted, for example by using a VPN or a direct, trusted connection.

Generated by OpenCVE AI on April 16, 2026 at 04:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
CPEs cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Improper Certificate Validation vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (HTTP API client, TLS transport modules) allows Adversary in the Middle (AiTM). This vulnerability is associated with program files src/hbbs_http/http_client.Rs and program routines TLS retry with danger_accept_invalid_certs(true). This issue affects RustDesk Client: through 1.4.5.
Title RustDesk HTTP Client Silently Accepts Invalid TLS Certificates After Handshake Failure
First Time appeared Rustdesk-client
Rustdesk-client rustdesk Client
Weaknesses CWE-295
CPEs cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-client
Rustdesk-client rustdesk Client
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Apple Iphone Os Macos
Google Android
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk
Rustdesk-client Rustdesk Client
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-03-17T14:34:54.701Z

Reserved: 2026-03-05T14:13:37.203Z

Link: CVE-2026-30794

cve-icon Vulnrichment

Updated: 2026-03-05T16:35:54.307Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:20.177

Modified: 2026-03-25T15:29:08.903

Link: CVE-2026-30794

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:45:16Z

Weaknesses