Description
Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop modules) allows Sniffing Attacks. This vulnerability is associated with program files src/hbbs_http/sync.Rs and program routines Heartbeat JSON payload construction (preset-address-book-password).

This issue affects RustDesk Client: through 1.4.5.
Published: 2026-03-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Cleartext Transmission of Sensitive Information
Action: Apply Patch
AI Analysis

Impact

The RustDesk Client accepts insecure TLS certificates after a handshake failure and transmits sensitive information such as address book passwords in clear text, allowing an attacker to extract data via network sniffing. This weakness enables the disclosure of credentials and other private data that the client sends during heartbeat sync operations.

Affected Systems

All platforms supported by RustDesk Client—Windows, macOS, Linux, iOS, and Android—are affected for versions up to and including 1.4.5. The issue resides in the heartbeat sync loop modules and the construction of JSON payloads that carry preset‑address‑book‑password data.

Risk and Exploitability

With a CVSS score of 8.7 the vulnerability is categorized as high severity, yet the EPSS score is less than 1% indicating a low current exploit probability. The vulnerability is not listed in CISA’s KEV catalog, so no widespread exploitation evidence exists. The likely attack vector is a man‑in‑the‑middle or passive sniffing of traffic, exploiting the client’s silent acceptance of invalid certificates to intercept unencrypted payloads.

Generated by OpenCVE AI on April 16, 2026 at 12:22 UTC.

Remediation

Vendor Solution

Hash or encrypt the credential before transmission. Transition to SRP.

Vendor Workaround

Avoid setting address book passwords; use account-based access only

OpenCVE Recommended Actions

  • Hash or encrypt the credential before transmission. Transition to SRP.
  • Upgrade RustDesk Client to a version greater than 1.4.5 where TLS certificate validation is enforced and insecure payload handling is fixed.
  • Discontinue the use of preset‑address‑book‑passwords; rely exclusively on account‑based authentication to avoid transmitting sensitive data in clear text.
  • Configure the client and any accompanying proxy or firewall to enforce strict TLS certificate validation, rejecting all invalid or self‑signed certificates.

Generated by OpenCVE AI on April 16, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
CPEs cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 17 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop modules) allows Sniffing Attacks. This vulnerability is associated with program files src/hbbs_http/sync.Rs and program routines Heartbeat JSON payload construction (preset-address-book-password). This issue affects RustDesk Client: through 1.4.5.
Title RustDesk HTTP Client Silently Accepts Invalid TLS Certificates After Handshake Failure
First Time appeared Rustdesk-client
Rustdesk-client rustdesk Client
Weaknesses CWE-319
CPEs cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-client
Rustdesk-client rustdesk Client
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Apple Iphone Os Macos
Google Android
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk
Rustdesk-client Rustdesk Client
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-03-17T14:31:15.664Z

Reserved: 2026-03-05T14:13:37.203Z

Link: CVE-2026-30795

cve-icon Vulnrichment

Updated: 2026-03-05T16:35:27.051Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:20.410

Modified: 2026-03-25T15:25:40.423

Link: CVE-2026-30795

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:30:06Z

Weaknesses