Description
TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
Published: 2026-03-30
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The TrueConf Client retrieves update files from a specified source and installs them without performing integrity checks such as cryptographic signatures or checksums. Because no verification is performed, a malicious payload supplied on the update path can be executed during installation, giving the attacker arbitrary code execution privileges in the context of the updater or the end user. This behaviour is consistent with CWE‑494, which relates to the exploitation of insecure data.

Affected Systems

All installations of TrueConf Client that use the automatic update mechanism are potentially impacted. The CNA identifies the product as TrueConf Client, but no particular versions are excluded or specifically listed; consequently, any release prior to the integrity‑checking update is at risk.

Risk and Exploitability

The CVSS score of 7.8 places the vulnerability in the high‑severity range. The description states that the attacker only needs to influence the update delivery path; the CVE does not specify the precise method, but control of that path would enable a malicious update to be downloaded and executed. No user interaction is required beyond this influence. While an EPSS score is unavailable and the vulnerability is not catalogued in CISA’s KEV, the vendor has released fixes that address the underlying issue.

Generated by OpenCVE AI on March 30, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TrueConf Client to version 8.5 or later, which introduces integrity verification for updates.
  • Ensure that any update downloads originate from the official TrueConf domain and that TLS certificate validation is enforced, blocking access to unauthorised update servers.
  • If an immediate patch cannot be applied, disable automatic updates to prevent the installation of unverified packages.

Generated by OpenCVE AI on March 30, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.
Title TrueConf Client Update Integrity Verification Bypass
Weaknesses CWE-494
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: checkpoint

Published:

Updated: 2026-03-30T18:05:42.806Z

Reserved: 2026-03-03T21:18:35.221Z

Link: CVE-2026-3502

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-30T19:16:27.053

Modified: 2026-03-30T19:16:27.053

Link: CVE-2026-3502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:55:16Z

Weaknesses