Skip to main content

Dde Control Center CVE-2026-35207

| EUVDEUVD-2026-20991 MEDIUM
Improper Certificate Validation (CWE-295)
2026-04-09 GitHub_M
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
6.1.80,5.9.9
EUVD ID Assigned
Apr 09, 2026 - 18:15 euvd
EUVD-2026-20991
Analysis Generated
Apr 09, 2026 - 18:15 vuln.today
CVE Published
Apr 09, 2026 - 17:48 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from openapi.deepin.com or other providers. An MITM attacker could intercept the traffic, replace the avatar with a malicious or misleading image, and potentially identify the user by the avatar. This vulnerability is fixed in dde-control-center 6.1.80 and 5.9.9.

AnalysisAI

Man-in-the-middle attackers can intercept unverified TLS connections in dde-control-center versions prior to 6.1.80 and 5.9.9, allowing replacement of user avatar images fetched from openapi.deepin.com with malicious or misleading content, potentially enabling user identification or social engineering attacks. The vulnerability stems from disabled TLS certificate verification in the plugin-deepinid component and requires no authentication but does require user interaction to trigger avatar fetches.

Technical ContextAI

The vulnerability exists in plugin-deepinid, a component of dde-control-center (the Deepin Desktop Environment control panel) that manages deepinid cloud service integration. The root cause is improper certificate validation (CWE-295: Improper Certificate Validation) when the plugin makes HTTPS requests to openapi.deepin.com and other providers to retrieve user avatars. By disabling or bypassing TLS certificate verification, the plugin becomes susceptible to man-in-the-middle (MITM) attacks where an attacker positioned on the network path can intercept encrypted traffic, forge responses, and inject malicious image content without cryptographic validation. The affected CPE entries indicate the issue affects linuxdeepin's dde-control-center and deepin-deepinid-plugin products across versions below 6.1.80 (main branch) and 5.9.9 (legacy branch).

RemediationAI

Vendor-released patch: dde-control-center 6.1.80 (main branch) and 5.9.9 (legacy branch) include fixes that enable proper TLS certificate verification in plugin-deepinid. Users should upgrade to these versions or later immediately. The upstream fix is documented in GitHub commits 6fc206120be28d9eef7d72258662bcabb834367f and cd95b054ff10a35bc9284431631305bd56244b3d, and pull request #3146 provides technical context. Until patching is possible, users should avoid using dde-control-center on untrusted or public networks where MITM attacks are feasible, and consider using VPN or network isolation to reduce attack surface.

Share

CVE-2026-35207 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy