Rustdesk
CVE-2026-30796
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe) · only source for this CVE.
CVSS VectorVendor: 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Address book sync API modules) allows Sniffing Attacks. This vulnerability is associated with program files Closed source - API endpoint handling heartbeat sync and program routines Heartbeat API handler (accepts preset-address-book-password in plaintext).
This issue affects RustDesk Server Pro: through 1.7.5.
AnalysisAI
RustDesk Server Pro through version 1.7.5 transmits sensitive address book credentials in cleartext over the network heartbeat synchronization API, enabling attackers to intercept and obtain authentication credentials without authentication. The vulnerability affects Windows, macOS, and Linux deployments where the address book sync functionality is enabled. No patch is currently available.
Technical ContextAI
Classified as CWE-319 (Cleartext Transmission of Sensitive Information). Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Address book sync API modules) allows Sniffing Attacks. This vulnerability is associated with program files Closed source — API endpoint handling heartbeat sync and program routines Heartbeat API handler (accepts preset-address-book-password in plaintext).
This issue affects RustDesk Server Pro: through 1.7.5.
RemediationAI
Monitor vendor advisories for a patch.
A default installation of RustDesk 1.2.3 on Windows places a WDKTestCert certificate under Trusted Root Certification Au
Remote denial-of-service in RustDesk Client through 1.4.5 allows network-positioned attackers to disrupt the remote-acce
Authorization scope bypass in RustDesk lets a peer holding only a FileTransfer authorization inject keyboard and mouse i
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remot
Configuration tampering in RustDesk Client through 1.4.5 allows a network-positioned attacker to manipulate Application
RustDesk Client through version 1.4.5 uses a broken cryptographic algorithm that allows attackers to retrieve sensitive
Authentication bypass in RustDesk Client through 1.4.5 across Windows, macOS, Linux, iOS, and Android allows remote atta
Privilege escalation in RustDesk Client through version 1.4.5 on Windows, macOS, Linux, iOS, and Android allows unauthen
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today