CVE-2026-32253

CRITICAL EPSS 20.8%

Published May 22, 20261mo ago · Modified Jun 17, 20261w ago

9.8 CVSS 3.1

Critical

Published May 22, 2026 1mo ago

Last Modified Jun 17, 2026 1w ago

Description

Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833.

CVSS Details

Base Score

9.8

Exploitability

3.9

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

20.8% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 2

CWE-287 Improper Authentication Authentication

CWE-295

Affected Products 1

Vendor	Product	Version	Range
lizardbyte	sunshine	*	<2026.516.143833

References 2

github.com https://github.com/LizardByte/Sunshine/releases/tag/v2026.516.143833

ProductRelease Notes
github.com https://github.com/LizardByte/Sunshine/security/advisories/GHSA-ph75-mgxh-mv57

ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.