CVE-2026-35207
TLS Verification Bypass in dde-control-center plugin-deepinid Enables MITM Attack
Publication date: 2026-04-09
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| deepin | dde-control-center | to 6.1.80 (inc) |
| deepin | plugin-deepinid | to 6.1.80 (exc) |
| deepin | dde-control-center | 5.9.9 |
| linuxdeepin | dde_control_center | 6.1.80 |
| linuxdeepin | dde_control_center | 5.9.9 |
| linuxdeepin | deepinid_plugin | From 2.0.1 (inc) to 2.0.9 (inc) |
| linuxdeepin | dde_control_center | From 6.1.35 (inc) to 6.1.80 (exc) |
| linuxdeepin | dde_control_center | From 5.5.3 (inc) to 5.9.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35207 is a security vulnerability in the Deepin Desktop Environment's control panel component called dde-control-center, specifically in its plugin named plugin-deepinid. This plugin fetches the user's avatar image from online services like openapi.deepin.com. Prior to version 6.1.80, the plugin was configured to skip TLS certificate verification when downloading the avatar image.
Skipping TLS certificate verification means the plugin did not check whether the server's identity was authentic and trusted, which exposed the connection to man-in-the-middle (MITM) attacks. An attacker could intercept the network traffic and replace the avatar image with a malicious or misleading one. This could potentially allow the attacker to identify the user by the manipulated avatar.
The vulnerability was fixed by removing the code that disabled TLS certificate verification, thereby enforcing proper certificate validation during avatar downloads. The fix also improved error handling and resource management to prevent memory leaks.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing your system to man-in-the-middle attacks when your avatar image is downloaded by the dde-control-center's deepinid plugin. Because TLS certificate verification was disabled, an attacker on the network could intercept and modify the avatar image.
The attacker could replace your avatar with a malicious or misleading image, which might be used to identify you or misrepresent your identity. This compromises the confidentiality and integrity of the avatar data.
While the vulnerability does not directly affect system availability or allow privilege escalation, it poses a moderate security risk (CVSS score 5.4) due to the potential for user identification and misinformation through manipulated avatar images.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the dde-control-center's plugin-deepinid skipping TLS certificate verification when downloading user avatars, which can be detected by monitoring network traffic for unverified TLS connections to openapi.deepin.com or other avatar providers.
Detection can include checking if TLS certificate verification is disabled during avatar downloads by inspecting the dde-control-center version and its configuration.
Since the vulnerability is related to TLS certificate verification being disabled, you can use network analysis tools like Wireshark or tcpdump to capture HTTPS traffic and check for suspicious man-in-the-middle activity or invalid TLS handshakes.
Commands to help detect this might include:
- Use tcpdump to capture traffic to the avatar provider domain: tcpdump -i <interface> host openapi.deepin.com and analyze for TLS handshake anomalies.
- Use openssl s_client to test TLS certificate validation manually: openssl s_client -connect openapi.deepin.com:443 -verify_return_error
- Check the installed version of dde-control-center to see if it is prior to 6.1.80 or 5.9.9, which are vulnerable versions.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update dde-control-center to version 6.1.80 or later, or to version 5.9.9 or later, where the vulnerability has been fixed by re-enabling TLS certificate verification during avatar downloads.
This update removes the code that disabled TLS certificate verification, ensuring that avatar downloads properly validate TLS certificates and reject invalid, expired, or self-signed certificates unless explicitly trusted.
Additionally, ensure that your system's network environment is secure against man-in-the-middle attacks by using trusted networks and monitoring for suspicious TLS traffic.
If updating immediately is not possible, consider restricting network access to openapi.deepin.com or other avatar providers to trusted sources only, to reduce exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in CVE-2026-35207 involves skipping TLS certificate verification when downloading user avatars, which exposes the system to man-in-the-middle (MITM) attacks. This could allow attackers to intercept and manipulate user data, potentially leading to user identification through manipulated avatars.
Such a security flaw undermines the confidentiality and integrity of user data transmitted over the network. Since regulations like GDPR and HIPAA require protection of personal data and secure transmission channels, this vulnerability could negatively impact compliance by failing to ensure secure communications and protect user privacy.
By allowing MITM attacks, the vulnerability increases the risk of unauthorized data exposure or manipulation, which may violate data protection requirements under these standards.