CVE-2026-35207
MEDIUMdeepinid plugin in dde-control-center is configured to skip TLS certificate verification when downloading avatar from remote server
Title source: cnaDescription
dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from openapi.deepin.com or other providers. An MITM attacker could intercept the traffic, replace the avatar with a malicious or misleading image, and potentially identify the user by the avatar. This vulnerability is fixed in dde-control-center 6.1.80 and 5.9.9.
References (4)
Scores
CVSS v3
5.4
EPSS
0.0002
EPSS Percentile
4.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Details
CWE
CWE-295
Status
published
Products (3)
linuxdeepin/dde-control-center
>= 5.5.3, < 5.9.9
linuxdeepin/dde-control-center
>= 6.1.35, < 6.1.80
linuxdeepin/deepin-deepinid-plugin
>= 2.0.1, <= 2.0.9
Published
Apr 09, 2026
Tracked Since
Apr 10, 2026