Sunshine CVE-2026-32253
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionGitHub Advisory
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833.
AnalysisAI
Authentication bypass in LizardByte Sunshine self-hosted game stream host (versions prior to 2026.516.143833) allows remote unauthenticated attackers to bypass client-certificate authentication and access protected HTTPS endpoints. The custom OpenSSL verification callback in src/crypto.cpp incorrectly treats several certificate validation errors as successful verification, enabling untrusted certificates to pass authentication. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects trivial network-based exploitation against default deployments.
Technical ContextAI
Sunshine is an open-source self-hosted game streaming host implementing the Moonlight streaming protocol, distributed by LizardByte and identified by CPE cpe:2.3:a:lizardbyte:sunshine. The vulnerability resides in src/crypto.cpp where a custom OpenSSL X509 verify_callback handles certificate validation results. The flaw is a classic CWE-287 Improper Authentication issue: the callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (issuer CA not in trust store), X509_V_ERR_CERT_NOT_YET_VALID (certificate not yet valid), and X509_V_ERR_CERT_HAS_EXPIRED (expired certificate) as successful verification outcomes, effectively short-circuiting OpenSSL's certificate chain validation. This defeats the entire purpose of mutual TLS client-certificate authentication that gates access to Sunshine's HTTPS control endpoints used for pairing and stream management.
RemediationAI
Vendor-released patch: upgrade to Sunshine v2026.516.143833 or later, available from https://github.com/LizardByte/Sunshine/releases/tag/v2026.516.143833, which corrects the verify callback logic in src/crypto.cpp so the three previously-ignored X509 errors are treated as authentication failures (see GHSA-ph75-mgxh-mv57). Where immediate upgrade is not possible, restrict network exposure of the Sunshine HTTPS control endpoints by binding the service to localhost or a trusted management VLAN, removing any port-forwarding rules on the perimeter firewall/router, and placing the host behind a VPN such as WireGuard or Tailscale so only authenticated peers can reach the listener; the trade-off is loss of direct remote streaming until the patch is applied. Avoid relying on re-pairing or rotating client certificates as a workaround since the bypass accepts arbitrary untrusted certificates regardless of pairing state.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today