CVE-2026-32253
published 2026-05-22CVE-2026-32253: Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.29%
20.7th percentile
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lizardbyte | sunshine | < 2026.516.143833 | 2026.516.143833 |
| lizardbyte | sunshine | < 2026.516.143833 | 2026.516.143833 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvelistv5v3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CVEList
Sunshine: Authentication bypass via improper client certificate validation
cvelistv5·2026-05-22·CVSS 9.8
CVE-2026-32253 [CRITICAL] CWE-287 Sunshine: Authentication bypass via improper client certificate validation
Sunshine: Authentication bypass via improper client certificate validation
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833.
VulDB
LizardByte Sunshine up to 2026.516.143832 HTTPS Endpoint src/crypto.cpp improper authentication (GHSA-ph75-mgxh-mv57)
vuldb·2026-05-22
CVE-2026-32253 [CRITICAL] LizardByte Sunshine up to 2026.516.143832 HTTPS Endpoint src/crypto.cpp improper authentication (GHSA-ph75-mgxh-mv57)
A vulnerability classified as critical was found in LizardByte Sunshine up to 2026.516.143832. Affected is an unknown function of the file src/crypto.cpp of the component HTTPS Endpoint. The manipulation results in improper authentication.
This vulnerability is reported as CVE-2026-32253. The attack requires a local approach. No exploit exists.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published