In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception.
Conclusion & alert: CVE-2020-26117 is rated Moderate Risk (62.5/100): CVSS High severity, with medium exploitation likelihood (EPSS 3.06%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-22 | 3.02% | 3.06% | +0.04% |
| 2 | 2026-06-15 | 0.69% | 3.02% | +2.33% |
| 3 | 2026-04-14 | — | 0.69% | — |
Full EPSS history (19 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.1 | 3.1 | HIGH |
|
2.8 | 5.2 | [email protected] |
| 5.8 | 2.0 | MEDIUM |
|
8.6 | 4.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2020-26117 not yet assigned priority: Debian including 1 source packages (tigervnc), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2020-26117 |
gentoo
|
normal | CVE-2020-26117: 1 GLSA(s) (202407-14), 1 atom(s) (net-misc/tigervnc); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2020-26117 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2020-26117 |
suse
|
critical | CVE-2020-26117 severity critical: SUSE including 306 source package names (amazon/suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64, amazon/suse-sles-15-sp1-chost-byos-v20220127-hvm-ssd-x86_64, …), 440 product×package rows across 70 product lines (HPE Helion OpenStack 8, Image SLES12-SP5-Azure-SAP-BYOS, … (70 product lines)): Known Affected 231, Fixed 209. | https://www.suse.com/security/cve/CVE-2020-26117/ |
ubuntu
|
medium | CVE-2020-26117 medium priority: Ubuntu including 1 source packages (tigervnc), 16 status rows across 16 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 10, DNE 2, released 2, ignored 1, needs-triage 1. | https://ubuntu.com/security/CVE-2020-26117 |
| URL | Tags |
|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00025.html | Broken Link Mailing List Third Party Advisory |
| http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00024.html | Broken Link Mailing List Third Party Advisory |
| https://bugzilla.opensuse.org/show_bug.cgi?id=1176733 | Issue Tracking Third Party Advisory |
| https://github.com/TigerVNC/tigervnc/commit/20dea801e747318525a5859fe4f37c52b05310cb | Patch Third Party Advisory |
| https://github.com/TigerVNC/tigervnc/commit/7399eab79a4365434d26494fa1628ce1eb91562b | Patch Third Party Advisory |
| https://github.com/TigerVNC/tigervnc/commit/b30f10c681ec87720cff85d490f67098568a9cba | Patch Third Party Advisory |
| https://github.com/TigerVNC/tigervnc/commit/f029745f63ac7d22fb91639b2cb5b3ab56134d6e | Patch Third Party Advisory |
| https://github.com/TigerVNC/tigervnc/releases/tag/v1.11.0 | Release Notes Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2020/10/msg00007.html | Mailing List Third Party Advisory |