CRITICAL🇵🇱 Wersja polska

CVE-2026-32253

CVSS 9.8v3.1pub. 2026-05-22upd. 2026-05-26

Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833.

🤖 AI Analysis
How it works

In the file src/crypto.cpp, a custom OpenSSL verification callback incorrectly treats certain certificate validation error codes as positive results. Specifically, errors X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED are handled as success instead of rejection. As a result, an untrusted, invalid, or expired certificate can successfully pass the client authentication process.

Impact

An attacker without a valid, trusted certificate can bypass the authentication mechanism and gain full access to protected HTTPS endpoints of a Sunshine instance, compromising the confidentiality, integrity, and availability of the system.

Mitigation & patch

Sunshine should be updated to version 2026.516.143833 or later, where the issue has been fixed. The patch is available in the project's GitHub repository at: https://github.com/LizardByte/Sunshine/releases/tag/v2026.516.143833

Who is affected

Lizardbyte Sunshine in all versions prior to 2026.516.143833

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lizardbyte Sunshine

    APP
    Lizardbyte
    < 2026.516.143833
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-53095CRITICAL9.6PL ✓ten sam produkt

CSRF w Sunshine umożliwia RCE z uprawnieniami administratora

CVE-2025-10199HIGH7.8ten sam produkt

A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely...

CVE-2025-10198HIGH7.8ten sam produkt

Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing ...

CVE-2024-51738HIGH7.7ten sam produkt

Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol i...

CVE-2024-31220HIGH7.3ten sam produkt

Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18...