cvedb.io
CVE-2026-30796
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-03-05T16:16:21.007 · Last modified 2026-06-22T14:17:35.323

Summary

Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Address book sync, Heartbeat sync loop modules) allows Sniffing Attacks. The client places the preset address-book password verbatim into the heartbeat sync JSON body (src/hbbs_http/sync.rs). Over an intact HTTPS session it is not exposed in transit, but it is a reusable shared secret rather than a zero-knowledge proof, so it is recovered by any party that becomes the API endpoint - under the automatic invalid-certificate TLS downgrade (CVE-2026-30794) or a re-homed/rogue API server (CVE-2026-30797) - and the leaked credential then authorizes the server-side address book. This vulnerability is associ

Affected products

rustdesk — rustdesk_server

Does this affect you?

Add your gear to cvedb and we'll alert you only when rustdesk ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.