Platform
linux
Component
dde-control-center
Fixed in
6.1.36
5.5.4
2.0.2
CVE-2026-35207 is a vulnerability in the dde-control-center, specifically within the plugin-deepinid component, which manages the Deepin ID cloud service. This flaw allows a man-in-the-middle (MITM) attacker to intercept network traffic and replace user avatars with malicious or misleading images, potentially leading to user identification. The vulnerability affects versions 5.5.3–>= 6.1.35, < 6.1.80 and is resolved in dde-control-center 6.1.80 and 5.9.9.
The primary impact of CVE-2026-35207 is the potential for user impersonation and phishing attacks. An attacker positioned between the user and openapi.deepin.com (or other providers) can intercept avatar requests and substitute them with malicious images. This could be used to display misleading information, trick users into performing actions they wouldn't otherwise take, or even identify users based on their avatar. While the vulnerability doesn't directly lead to code execution or data breaches, the social engineering possibilities are significant, particularly in environments where users rely on visual cues for authentication or trust.
This vulnerability was publicly disclosed on 2026-04-09. There are currently no known public proof-of-concept exploits available. The EPSS score is likely low to medium, given the requirement for an MITM position and the limited direct impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-35207 is to immediately upgrade dde-control-center to version 6.1.80 or 5.9.9. These versions address the TLS certificate verification issue. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to enforce strict TLS certificate validation for traffic to openapi.deepin.com. Monitor network traffic for suspicious avatar replacements. After the upgrade, confirm the fix by verifying that TLS certificate verification is enabled for avatar requests using network analysis tools.
Update the dde-control-center package to version 6.1.80 or higher, or to version 5.9.9 if you are using a version prior to 6.1.35. This update corrects the misconfiguration that allowed skipping TLS certificate verification when downloading avatars, mitigating the risk of Man-in-the-Middle attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35207 is a vulnerability in dde-control-center allowing an attacker to replace user avatars due to skipped TLS certificate verification, potentially leading to user identification.
You are affected if you are using dde-control-center versions 5.5.3–>= 6.1.35, < 6.1.80. Upgrade to 6.1.80 or 5.9.9 to resolve the issue.
Upgrade dde-control-center to version 6.1.80 or 5.9.9. As a temporary workaround, implement a WAF to enforce TLS certificate validation.
There are currently no known active exploits for CVE-2026-35207, but the potential for MITM attacks exists.
Refer to the Deepin project's security advisories for the official advisory regarding CVE-2026-35207.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.