CVE-2026-30796 rustdesk-client CVE debrief

Who should care

Defenders of RustDesk Client installations, particularly those using versions up to 1.4.8 on Windows, MacOS, Linux, iOS, and Android, should be aware of this vulnerability. The exposure of the address-book password in cleartext during synchronization could lead to unauthorized access to the address book if an attacker can intercept or manipulate the heartbeat sync data.

Technical summary

The RustDesk Client vulnerability (CVE-2026-30796) involves the insecure transmission of sensitive information, specifically the preset address-book password. This password is included verbatim in the heartbeat sync JSON body (src/hbbs_http/sync.rs). Although transmitted over an intact HTTPS session, the reuse of this shared secret allows any party becoming the API endpoint to recover the credential. This could happen through an automatic invalid-certificate TLS downgrade (CVE-2026-30794) or a re-homed/rogue API server (CVE-2026-30797), leading to unauthorized access to the server-side address book.

Defensive priority

Medium priority due to the potential for credential exposure and address book access.

Recommended defensive actions

• Inventory and update RustDesk Client to the latest version beyond 1.4.8.
• Review and restrict access to the RustDesk Client API endpoints.
• Implement additional monitoring for suspicious heartbeat sync activities.
• Enforce secure TLS configurations and certificate validation.
• Consider using zero-knowledge proof authentication mechanisms if available.

Evidence notes

The primary evidence for this vulnerability comes from the CVE-2026-30796 record and associated sources. The affected product is RustDesk Client, up to version 1.4.8, across various platforms. Defenders should verify the version of RustDesk Client in use and review the official documentation for mitigation strategies.

Official resources