CVE-2026-30794 - Vulnerability Details

- RustDesk HTTP Client Silently Accepts Invalid TLS Certificates After Handshake Failure

Description

Improper Certificate Validation vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (HTTP API client, TLS transport modules) allows Adversary in the Middle (AiTM).

This vulnerability is associated with program files src/hbbs_http/http_client.Rs and program routines TLS retry with danger_accept_invalid_certs(true).

This issue affects RustDesk Client: through 1.4.8.

Published: 2026-03-05

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability, identified as an improper certificate validation flaw in RustDesk Client’s HTTP API module, allows the client to accept invalid TLS certificates after a handshake failure, enabling an attacker to perform a man‑in‑the‑middle attack and intercept or tamper with encrypted traffic. The weakness is a classic improper certificate validation error (CWE‑295).

Affected Systems

Affected binaries include any installation of RustDesk Client through version 1.4.8 on Windows, macOS, Linux, iOS, and Android. The vulnerability resides in the HTTP client module and the TLS retry routine enabling the dangerous_accept_invalid_certs option. The clients listed in known CPEs, such as rustdesk-client:rustdesk_client across all major operating systems, are vulnerable.

Risk and Exploitability

The CVSS score of 9.1 marks this as a high‑severity vulnerability. Although the EPSS score is below 1 %, indicating a very low current exploitation probability, the potential impact of a successful Adversary in the Middle remains high. The flaw is not yet included in the CISA KEV catalog, but the absence of a KEV listing does not reduce the risk. Attackers would need to force a TLS handshake failure or redirect connections to their own server, conditions that are achievable with basic network interception tools. Mitigation requires removing the automatic fallback or upgrading to a fixed version.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

rustdesk-client

RustDesk Client

affected

Version	Status	Constraints
`0`	affected	≤ 1.4.8

Configuration 1 [-]

AND

cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*

OR	cpe:2.3:o:apple:iphone_os:-:::::::*
	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:google:android:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Rustdesk-client

Rustdesk Client

95%

Version	Status	Scheme	Platform
`[0,1.4.5]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Remove automatic fallback. Treat TLS handshake failures as fatal.

Vendor Workaround

Ensure network path to API server cannot be intercepted (VPN, direct link)

OpenCVE Recommended Actions

Apply the vendor‑recommended configuration change to treat TLS handshake failures as fatal.
Ensure the network path to the RustDesk API server cannot be intercepted, for example, by using a VPN or a direct, trusted connection.
Check for and apply any vendor patches or updates that fix the automatic TLS fallback issue.

Generated by OpenCVE AI on June 22, 2026 at 11:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00313.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub
https://github.com/rustdesk/rustdesk
https://www.vulsec.org/

History

Mon, 22 Jun 2026 10:00:00 +0000

Type	Values Removed	Values Added
Description	Improper Certificate Validation vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (HTTP API client, TLS transport modules) allows Adversary in the Middle (AiTM). This vulnerability is associated with program files src/hbbs_http/http_client.Rs and program routines TLS retry with danger_accept_invalid_certs(true). This issue affects RustDesk Client: through 1.4.5.	Improper Certificate Validation vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (HTTP API client, TLS transport modules) allows Adversary in the Middle (AiTM). This vulnerability is associated with program files src/hbbs_http/http_client.Rs and program routines TLS retry with danger_accept_invalid_certs(true). This issue affects RustDesk Client: through 1.4.8.

Wed, 25 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple iphone Os Apple macos Google Google android Linux Linux linux Kernel Microsoft Microsoft windows Rustdesk Rustdesk rustdesk
CPEs		cpe:2.3:a:rustdesk:rustdesk:::::webclient:::* cpe:2.3:o:apple:iphone_os:-:::::::* cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:google:android:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple iphone Os Apple macos Google Google android Linux Linux linux Kernel Microsoft Microsoft windows Rustdesk Rustdesk rustdesk
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 17 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 05 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
References		https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub https://www.vulsec.org/

Thu, 05 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 05 Mar 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Certificate Validation vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (HTTP API client, TLS transport modules) allows Adversary in the Middle (AiTM). This vulnerability is associated with program files src/hbbs_http/http_client.Rs and program routines TLS retry with danger_accept_invalid_certs(true). This issue affects RustDesk Client: through 1.4.5.
Title		RustDesk HTTP Client Silently Accepts Invalid TLS Certificates After Handshake Failure
First Time appeared		Rustdesk-client Rustdesk-client rustdesk Client
Weaknesses		CWE-295
CPEs		cpe:2.3:a:rustdesk-client:rustdesk_client:::android:::::* cpe:2.3:a:rustdesk-client:rustdesk_client:::ios:::::* cpe:2.3:a:rustdesk-client:rustdesk_client:::linux:::::* cpe:2.3:a:rustdesk-client:rustdesk_client:::macos:::::* cpe:2.3:a:rustdesk-client:rustdesk_client:::windows:::::*
Vendors & Products		Rustdesk-client Rustdesk-client rustdesk Client
References		https://github.com/rustdesk/rustdesk
Metrics		cvssV4_0 `{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Apple Iphone Os Macos

Google Android

Linux Linux Kernel

Microsoft Windows

Rustdesk Rustdesk

Rustdesk-client Rustdesk Client

MITRE

Status: PUBLISHED

Assigner: VULSec

Published: 2026-03-05T15:24:34.784Z

Updated: 2026-06-22T08:24:56.842Z

Reserved: 2026-03-05T14:13:37.203Z

Link: CVE-2026-30794

Vulnrichment

Updated: 2026-03-05T16:35:54.307Z

NVD

Status : Analyzed

Published: 2026-03-05T16:16:20.177

Modified: 2026-06-17T10:32:55.820

Link: CVE-2026-30794

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T12:00:05Z

Weaknesses

CWE-295
Improper Certificate Validation

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object