Vulnerability Details CVE-2026-30796
Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Address book sync, Heartbeat sync loop modules) allows Sniffing Attacks.
The client places the preset address-book password verbatim into the heartbeat sync JSON body (src/hbbs_http/sync.rs). Over an intact HTTPS session it is not exposed in transit, but it is a reusable shared secret rather than a zero-knowledge proof, so it is recovered by any party that becomes the API endpoint - under the automatic invalid-certificate TLS downgrade (CVE-2026-30794) or a re-homed/rogue API server (CVE-2026-30797) - and the leaked credential then authorizes the server-side address book.
This vulnerability is associated with program files src/hbbs_http/sync.rs and program routines heartbeat sync body builder (emits preset-address-book-password).
This issue affects RustDesk Client: through 1.4.8.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 17.2%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-30796
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.10
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.10-1
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.10-2
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.10-3
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.10-4
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.10-5
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.11
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.12
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.12-1
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.12-2
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.13
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.13-1
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.14
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.14-1
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.14-4
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.14-5
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.14-6
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.14-7
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.8
-
cpe:2.3:a:rustdesk:rustdesk_server:1.1.9
-
cpe:2.3:a:rustdesk:rustdesk_server:1.2.0
-
cpe:2.3:a:rustdesk:rustdesk_server:1.3.0
-
cpe:2.3:a:rustdesk:rustdesk_server:1.3.1
-
cpe:2.3:a:rustdesk:rustdesk_server:1.3.10
-
cpe:2.3:a:rustdesk:rustdesk_server:1.3.11
-
cpe:2.3:a:rustdesk:rustdesk_server:1.3.12
-
cpe:2.3:a:rustdesk:rustdesk_server:1.3.2
-
cpe:2.3:a:rustdesk:rustdesk_server:1.3.3
-
cpe:2.3:a:rustdesk:rustdesk_server:1.3.4
-
cpe:2.3:a:rustdesk:rustdesk_server:1.3.5
-
cpe:2.3:a:rustdesk:rustdesk_server:1.3.6
-
cpe:2.3:a:rustdesk:rustdesk_server:1.3.7
-
cpe:2.3:a:rustdesk:rustdesk_server:1.3.8
-
cpe:2.3:a:rustdesk:rustdesk_server:1.3.9
-
cpe:2.3:a:rustdesk:rustdesk_server:1.4.0
-
cpe:2.3:a:rustdesk:rustdesk_server:1.4.1
-
cpe:2.3:a:rustdesk:rustdesk_server:1.4.2
-
cpe:2.3:a:rustdesk:rustdesk_server:1.4.3
-
cpe:2.3:a:rustdesk:rustdesk_server:1.4.4
-
cpe:2.3:a:rustdesk:rustdesk_server:1.4.5
-
cpe:2.3:a:rustdesk:rustdesk_server:1.4.6
-
cpe:2.3:a:rustdesk:rustdesk_server:1.4.7
-
cpe:2.3:a:rustdesk:rustdesk_server:1.4.8
-
cpe:2.3:a:rustdesk:rustdesk_server:1.5.0
-
cpe:2.3:a:rustdesk:rustdesk_server:1.5.1
-
cpe:2.3:a:rustdesk:rustdesk_server:1.5.2
-
cpe:2.3:a:rustdesk:rustdesk_server:1.5.3
-
cpe:2.3:a:rustdesk:rustdesk_server:1.5.4
-
cpe:2.3:a:rustdesk:rustdesk_server:1.5.5
-
cpe:2.3:a:rustdesk:rustdesk_server:1.5.6
-
cpe:2.3:a:rustdesk:rustdesk_server:1.5.7
-
cpe:2.3:a:rustdesk:rustdesk_server:1.5.8
-
cpe:2.3:a:rustdesk:rustdesk_server:1.5.9
-
cpe:2.3:a:rustdesk:rustdesk_server:1.6.0
-
cpe:2.3:a:rustdesk:rustdesk_server:1.6.1
-
cpe:2.3:a:rustdesk:rustdesk_server:1.6.2
-
cpe:2.3:a:rustdesk:rustdesk_server:1.6.3
-
cpe:2.3:a:rustdesk:rustdesk_server:1.6.4
-
cpe:2.3:a:rustdesk:rustdesk_server:1.6.5
-
cpe:2.3:a:rustdesk:rustdesk_server:1.6.6
-
cpe:2.3:a:rustdesk:rustdesk_server:1.6.7
-
cpe:2.3:a:rustdesk:rustdesk_server:1.6.8
-
cpe:2.3:a:rustdesk:rustdesk_server:1.6.9
-
cpe:2.3:a:rustdesk:rustdesk_server:1.7.0
-
cpe:2.3:a:rustdesk:rustdesk_server:1.7.1
-
cpe:2.3:a:rustdesk:rustdesk_server:1.7.2
-
cpe:2.3:a:rustdesk:rustdesk_server:1.7.3
-
cpe:2.3:a:rustdesk:rustdesk_server:1.7.4
-
cpe:2.3:a:rustdesk:rustdesk_server:1.7.5
-
cpe:2.3:o:apple:macos:-
-
cpe:2.3:o:linux:linux_kernel:-
-
cpe:2.3:o:microsoft:windows:-