Sunshine CVE-2026-32253
CRITICALCVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833.
AnalysisAI
Authentication bypass in LizardByte Sunshine self-hosted game stream host (versions prior to 2026.516.143833) allows remote unauthenticated attackers to bypass client-certificate authentication and access protected HTTPS endpoints. The custom OpenSSL verification callback in src/crypto.cpp incorrectly treats several certificate validation errors as successful verification, enabling untrusted certificates to pass authentication. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: (1) Inventory all Sunshine deployments and their network exposure; (2) If internet-accessible, immediately disable remote access or implement firewall rules restricting to trusted internal networks only. Within 7 days: (1) Subscribe to LizardByte security advisories; (2) Implement network segmentation isolating Sunshine infrastructure; (3) Enable all available certificate validation and encryption controls. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today