CVE-2026-35207 Overview
CVE-2026-35207 is a TLS Certificate Validation Bypass vulnerability affecting the dde-control-center, the control panel of DDE (Deepin Desktop Environment). The plugin-deepinid component, which provides Deepin ID cloud service functionality, is configured to skip TLS certificate verification when fetching user avatars from openapi.deepin.com or other providers.
This insecure configuration creates an opportunity for Man-in-the-Middle (MITM) attackers to intercept network traffic, replace user avatars with malicious or misleading images, and potentially identify users based on their avatar requests.
Critical Impact
Attackers positioned on the network path can intercept and manipulate avatar downloads, enabling user identification and potential social engineering attacks through misleading imagery.
Affected Products
- dde-control-center versions prior to 6.1.80
- dde-control-center versions prior to 5.9.9
- Deepin Desktop Environment with plugin-deepinid
Discovery Timeline
- 2026-04-09 - CVE CVE-2026-35207 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35207
Vulnerability Analysis
This vulnerability stems from improper certificate validation (CWE-295) in the plugin-deepinid component. When the Deepin ID plugin attempts to download user avatars from remote servers, it explicitly disables SSL/TLS peer verification, accepting any certificate presented by the server without validation.
The vulnerability affects network-based communications and requires user interaction (visiting the control center settings), but no authentication is required for an attacker to exploit it. The impact includes potential confidentiality breach through user identification and integrity compromise through avatar manipulation.
Root Cause
The root cause is the explicit configuration of QSslSocket::VerifyNone in the SSL configuration for network requests. This setting instructs the Qt networking stack to accept any SSL/TLS certificate without verifying the certificate chain, issuer, or validity. This is a common but dangerous pattern often introduced during development to bypass certificate issues and inadvertently left in production code.
The vulnerability exists in the downloadurl.cpp file within the plugin-deepinid source, where avatar download requests are configured to skip certificate verification entirely.
Attack Vector
An attacker must be positioned on the network path between the victim's system and the avatar server (Man-in-the-Middle position). This could be achieved through:
- Compromised network infrastructure (routers, switches)
- ARP spoofing on local networks
- DNS poisoning to redirect requests
- Rogue Wi-Fi access points
Once positioned, the attacker can present their own certificate (which will be accepted without verification) and serve arbitrary content in response to avatar requests.
// Vulnerable code pattern from downloadurl.cpp
// Source: https://github.com/linuxdeepin/dde-control-center/commit/cd95b054ff10a35bc9284431631305bd56244b3d
request.setUrl(QUrl(url));
request.setAttribute(QNetworkRequest::FollowRedirectsAttribute, true);
+ QSslConfiguration config = QSslConfiguration::defaultConfiguration();
+ config.setPeerVerifyMode(QSslSocket::VerifyNone);
+ request.setSslConfiguration(config);
connect(m_manager, &QNetworkAccessManager::finished, this, &DownloadUrl::onDownloadFileComplete);
m_manager->get(request);
Detection Methods for CVE-2026-35207
Indicators of Compromise
- Unexpected network connections to non-standard SSL/TLS endpoints during dde-control-center usage
- Certificate warnings or errors in system logs that were subsequently bypassed
- Modified or unexpected avatar images appearing in the Deepin control center
- Network traffic anomalies during user authentication or profile loading
Detection Strategies
- Monitor for SSL/TLS connections from dde-control-center processes that accept invalid or self-signed certificates
- Implement network-level TLS inspection to identify connections with certificate validation failures
- Review system logs for plugin-deepinid related network activity to unusual destinations
- Deploy endpoint detection rules to flag applications making insecure HTTPS connections
Monitoring Recommendations
- Enable verbose logging for Qt network operations on systems running affected versions
- Monitor outbound connections from dde-control-center to openapi.deepin.com and related endpoints
- Implement certificate transparency monitoring for expected avatar hosting domains
- Deploy SentinelOne agents configured to detect anomalous network behavior from desktop environment components
How to Mitigate CVE-2026-35207
Immediate Actions Required
- Update dde-control-center to version 6.1.80 or later (for 6.x branch)
- Update dde-control-center to version 5.9.9 or later (for 5.x branch)
- Restrict network access to known-good avatar provider endpoints via firewall rules
- Consider disabling the Deepin ID cloud service functionality until patches are applied
Patch Information
The vulnerability has been fixed in dde-control-center versions 6.1.80 and 5.9.9. The patches enable proper TLS certificate verification for avatar download operations. For detailed information, refer to the GitHub Security Advisory and the related pull request #3146.
Security patches are available at:
Workarounds
- Avoid using public or untrusted Wi-Fi networks when using Deepin ID features
- Disable the Deepin ID cloud service integration in dde-control-center settings
- Use a VPN to encrypt network traffic and reduce MITM attack surface
- Block outbound connections from dde-control-center to external avatar providers at the network level
# Temporary workaround: Block avatar download endpoints via iptables
# Note: This will prevent avatar loading but mitigates the MITM risk
sudo iptables -A OUTPUT -p tcp -d openapi.deepin.com --dport 443 -m owner --uid-owner $(id -u) -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
