Description
Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Address book sync, Heartbeat sync loop modules) allows Sniffing Attacks.

The client places the preset address-book password verbatim into the heartbeat sync JSON body (src/hbbs_http/sync.rs). Over an intact HTTPS session it is not exposed in transit, but it is a reusable shared secret rather than a zero-knowledge proof, so it is recovered by any party that becomes the API endpoint - under the automatic invalid-certificate TLS downgrade (CVE-2026-30794) or a re-homed/rogue API server (CVE-2026-30797) - and the leaked credential then authorizes the server-side address book.

This vulnerability is associated with program files src/hbbs_http/sync.rs and program routines heartbeat sync body builder (emits preset-address-book-password).

This issue affects RustDesk Client: through 1.4.8.
Published: 2026-03-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability causes the RustDesk Client to transmit the user‑selected address‑book password in cleartext as part of the heartbeat sync JSON payload. Over an intact HTTPS session the password is not exposed in transit, but because it is a reusable shared secret rather than a zero‑knowledge proof the password can be recovered by any party that becomes the API endpoint – for example through TLS downgrade or a rogue server. When the plaintext password reaches the server it authorizes access to the server‑side address book, thereby exposing sensitive contact information. This flaw is a classic example of cleartext transmission of sensitive information (CWE‑319) and insufficiently protected credentials (CWE‑522).

Affected Systems

The flaw exists in RustDesk Client versions up through 1.4.8 on Windows, macOS, Linux, iOS, and Android. Any installation of the client in those versions is vulnerable due to the heartbeat sync implementation found in src/hbbs_http/sync.rs.

Risk and Exploitability

The likely attack vector is passive sniffing of traffic between the client and the server. Based on the description, it is inferred that an attacker might also tamper with packets to influence the plaintext password sent, though this is not explicitly stated. The vulnerability carries a CVSS score of 6.9, indicating medium severity, but its EPSS score is below 1 %, suggesting a very low probability that exploitation will occur in the wild. The flaw is not listed in CISA's KEV catalog at this time.

Generated by OpenCVE AI on June 22, 2026 at 11:23 UTC.

Remediation

Vendor Solution

Transition Address Book API to SRP (Secure Remote Password)

Vendor Workaround

Avoid setting address book passwords; use account-based access only

OpenCVE Recommended Actions

  • Upgrade to a RustDesk Client release that implements SRP (Secure Remote Password) for the address book API, per the vendor’s official recommendation.
  • If an upgrade cannot be performed immediately, avoid configuring address‑book passwords and use account‑based authentication only, following the provided workaround.
  • Ensure that all traffic to and from the RustDesk Client instance is protected by TLS or transmitted over a secure VPN tunnel to mitigate the risk of network sniffing.

Generated by OpenCVE AI on June 22, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Address book sync API modules) allows Sniffing Attacks. This vulnerability is associated with program files Closed source — API endpoint handling heartbeat sync and program routines Heartbeat API handler (accepts preset-address-book-password in plaintext). This issue affects RustDesk Server Pro: through 1.7.5. Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Address book sync, Heartbeat sync loop modules) allows Sniffing Attacks. The client places the preset address-book password verbatim into the heartbeat sync JSON body (src/hbbs_http/sync.rs). Over an intact HTTPS session it is not exposed in transit, but it is a reusable shared secret rather than a zero-knowledge proof, so it is recovered by any party that becomes the API endpoint - under the automatic invalid-certificate TLS downgrade (CVE-2026-30794) or a re-homed/rogue API server (CVE-2026-30797) - and the leaked credential then authorizes the server-side address book. This vulnerability is associated with program files src/hbbs_http/sync.rs and program routines heartbeat sync body builder (emits preset-address-book-password). This issue affects RustDesk Client: through 1.4.8.
Title RustDesk Server Pro API Requires Address Book Password in Plaintext for Sync Protocol RustDesk Client Transmits Preset Address Book Password Verbatim in Heartbeat Sync
First Time appeared Rustdesk-client
Rustdesk-client rustdesk Client
Weaknesses CWE-522
CPEs cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:windows:*:*:*:*:*		 cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-client
Rustdesk-client rustdesk Client
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N'}

Wed, 25 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*
Vendors & Products Rustdesk rustdesk

Wed, 25 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
Rustdesk rustdesk Server
CPEs cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*
cpe:2.3:a:rustdesk:rustdesk_server:*:*:*:*:pro:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
Rustdesk rustdesk Server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 17 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 07 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Address book sync API modules) allows Sniffing Attacks. This vulnerability is associated with program files Closed source — API endpoint handling heartbeat sync and program routines Heartbeat API handler (accepts preset-address-book-password in plaintext). This issue affects RustDesk Server Pro: through 1.7.5.
Title RustDesk Server Pro API Requires Address Book Password in Plaintext for Sync Protocol
First Time appeared Rustdesk-server-pro
Rustdesk-server-pro rustdesk Server Pro
Weaknesses CWE-319
CPEs cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-server-pro
Rustdesk-server-pro rustdesk Server Pro
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Apple Macos
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk Server
Rustdesk-client Rustdesk Client
Rustdesk-server-pro Rustdesk Server Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-06-22T08:23:41.067Z

Reserved: 2026-03-05T14:13:37.203Z

Link: CVE-2026-30796

cve-icon Vulnrichment

Updated: 2026-03-05T16:34:58.670Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:21.007

Modified: 2026-06-17T10:32:56.087

Link: CVE-2026-30796

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T11:30:05Z

Weaknesses
  • CWE-319

    Cleartext Transmission of Sensitive Information

  • CWE-522

    Insufficiently Protected Credentials