CVE-2026-32253

Source
https://cve.org/CVERecord?id=CVE-2026-32253
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32253.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32253
Aliases
  • GHSA-ph75-mgxh-mv57
Published
2026-05-22T17:07:04.619Z
Modified
2026-07-08T08:12:46.877095369Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Sunshine: Authentication bypass via improper client certificate validation
Details

Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509VERRUNABLETOGETISSUERCERTLOCALLY, X509VERRCERTNOTYETVALID, and X509VERRCERTHAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32253.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287",
        "CWE-295"
    ]
}
References

Affected packages

Git / github.com/lizardbyte/sunshine

Affected ranges

Type
GIT
Repo
https://github.com/lizardbyte/sunshine
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2026.516.143833"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.1.0
v0.1.1
v0.10.0
v0.11.0
v0.11.1
v0.2.0
v0.3.0
v0.3.1
v0.4.0
v0.8.0
v0.9.0
v2025.*
v2025.118.151840
v2025.122.141614
v2025.628.4510
v2025.923.33222
v2025.924.154138
v2026.*
v2026.121.232953
v2026.121.33416
v2026.203.160441
v2026.204.180221
v2026.206.151412
v2026.208.203040
v2026.209.34151
v2026.211.162838
v2026.211.25443
v2026.213.34323
v2026.214.224301
v2026.214.30634
v2026.215.224211
v2026.218.44016
v2026.220.22826
v2026.221.41532
v2026.222.224531
v2026.223.155824
v2026.224.134041
v2026.225.33545
v2026.226.41312
v2026.228.232233
v2026.228.25700
v2026.302.133823
v2026.310.23228
v2026.311.154809
v2026.314.25625
v2026.331.130344
v2026.331.21700
v2026.408.194927
v2026.409.171120
v2026.507.123453
v2026.508.45922
v2026.513.230134
v2026.515.151803
v2026.516.30826

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32253.json"