CVE-2026-3502 HIGH

CVE-2026-3502: TrueConf Client Update Integrity Verification Bypass

Vendor Trueconf
Product TrueConf Client
Weakness CWE-494 · Download without integrity check
KEV Status Known Exploited
Published March 30, 2026
Last update April 3, 2026

CVSS base score

7.8/10
Attack vector Adjacent
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

March 30, 2026 CVE published
April 3, 2026 Record updated