CVE-2026-3502

TrueConf Client Update Integrity Verification Bypass

CVSS 7.8 HIGHEPSS 5.8%● KEVCWE-494

In short

TrueConf Client downloads updates without checking if they're genuine, allowing attackers to inject malicious code if they can intercept the download. This can lead to complete compromise of the user's system.

Technical detail

The application fails to cryptographically verify update integrity before execution, creating an arbitrary code execution vulnerability. An attacker with network-level access (e.g., MITM) can replace legitimate updates with malicious payloads, executing code with the privileges of the update process or logged-in user.

Summary generated and translated by AI from the official description.

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

Affected products

TrueConf · TrueConf Client

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/https://trueconf.com/blog/update/trueconf-8-5 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3502