Skip to main content

TinyIce CVE-2026-45327

| EUVDEUVD-2026-34863 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-05-18 https://github.com/DatanoiseTV/tinyice GHSA-p7c4-8x34-8j8f
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 18:00 vuln.today
Analysis Generated
May 18, 2026 - 18:00 vuln.today

DescriptionGitHub Advisory

Title

Missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection in TinyIce

Ecosystem / Package

  • Ecosystem: Go (or "Other" - TinyIce is shipped as a Go binary, not a Go module published to a registry)
  • Package name: github.com/DatanoiseTV/tinyice

Affected versions

>= 0.8.95, <= 2.4.1

(Introduced 2026-02-21 in commit e2b60d6 - "debug: add Go Live connection tracing and backend data flow logging" - when handleWebRTCSourceOffer was registered at /webrtc/source-offer without an authentication check. Every tagged release from v0.8.95 through v2.4.1 ships the vulnerable handler.)

Patched versions

>= 2.5.0

Severity

Description

TinyIce's WebRTC source-ingest HTTP endpoint, POST /webrtc/source-offer?mount=<mount>, accepted any inbound WebRTC SDP offer with no authentication check. The handler routed the offer to WebRTCManager.HandleSourceOffer, which then accepted whatever audio/video tracks the peer published and broadcast them on the named mount as if they were the legitimate source.

The other ingest paths (POST /<mount> over HTTP/1 with the icecast SOURCE / PUT verb, RTMP, SRT) all require the per-mount source password, falling back to default_source_password from the config. The WebRTC ingest path didn't.

Impact

A network attacker who can reach the TinyIce HTTP port can:

  1. Identify a target mount (mount names are public - they appear in the directory listing, the player URL, and the YP listing).
  2. Negotiate a WebRTC peer connection with the server.
  3. Publish arbitrary Opus / H.264 to that mount.
  4. Have it broadcast to every listener on the mount.

This is a high-integrity-impact issue: an attacker can replace a radio's broadcast with their own audio (silence, noise, malicious content, branded competitor content, etc.). Listeners hear what the attacker sends, not what the legitimate publisher intended.

The legitimate publisher can re-establish their session - TinyIce's source-takeover handshake gives the new offer priority once it arrives, with a 3-second drain of the previous pump goroutine - but the attacker can in principle re-connect immediately after, producing a sustained broadcast hijack until the operator manually intervenes (block at firewall, rotate source passwords once the patch is applied, restart the service).

There is no direct confidentiality impact through this endpoint: the attacker doesn't gain access to listener data or other mounts' content.

Workarounds

If users cannot upgrade immediately:

  • Recommended: block POST /webrtc/source-offer at the reverse proxy in front of TinyIce. The endpoint has no production use case for clients outside the operator's own administration - disabling it loses no functionality unless the consuming application specifically use the browser-based "go-live" feature.
  • Restrict TinyIce's HTTP port to a trusted network (VPN, internal LAN). Listener access can still be served via a separately-firewalled CDN if the application needs public listening.

Detection

To check whether an application's deployment is exposed, run from outside the network:

curl -i -X POST 'https://your-tinyice-host/webrtc/source-offer?mount=/anymount' \
  -H 'Content-Type: application/json' \
  -d '{"type":"offer","sdp":"v=0\r\n"}'
  • If the response is 400 Bad Request with a JSON body containing an SDP-parsing error from pion/webrtc, a consuming application is vulnerable - the server tried to negotiate the (malformed) offer without asking for credentials.
  • If the response is 401 Unauthorized (Basic auth challenge), the consuming application has been patched.

Authenticated log lines on a patched server will look like:

WARN  Authentication failed for user 'webrtc-source' from 1.2.3.4: invalid source password

Fix

Upstream commit: 8067d6b "fix(api): require source password on /webrtc/source-offer + CSRF/access on /go-live-chunk".

The handler now:

  1. Requires either HTTP Basic auth or a ?password= query parameter.
  2. Compares the supplied password against the per-mount source password (or the default_source_password fallback) using bcrypt.
  3. Hooks into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout).
  4. Rejects requests for mounts in disabled_mounts.

The same release also tightens an adjacent endpoint, POST /admin/golive/chunk, which previously required session authentication but did not verify the session user's per-mount access nor check the CSRF token.

Timeline

  • 2026-02-21 - Vulnerable handler introduced (e2b60d6).
  • 2026-05-09 - Vulnerability identified during a maintainer-led audit.
  • 2026-05-09 - Patched in commit 8067d6b, released as v2.5.0.
  • 2026-05-09 - GitHub Security Advisory published, CVE assigned.

AnalysisAI

Unauthenticated broadcast hijack in TinyIce versions 0.8.95 through 2.4.1 allows any network attacker reaching the HTTP port to inject arbitrary audio/video streams onto any mount via the WebRTC source-ingest endpoint. The POST /webrtc/source-offer handler omitted the source-password check that all other ingest paths (Icecast SOURCE/PUT, RTMP, SRT) enforce, letting attackers replace legitimate broadcasts with their own content. Publicly available exploit code exists in the form of a one-line curl probe published in the GHSA advisory, though no public exploit identified for sustained hijack at time of analysis.

Technical ContextAI

TinyIce is a Go-based Icecast-compatible streaming media server (github.com/DatanoiseTV/tinyice) that accepts source streams over multiple protocols and rebroadcasts them to listeners on named mounts. The vulnerability sits in server/handlers_api.go where handleWebRTCSourceOffer was registered at /webrtc/source-offer on 2026-02-21 (commit e2b60d6) without invoking the shared auth helpers (checkAuthLimit, getSourcePassword, CheckPasswordHash) that gate the other ingest verbs. The handler passed the inbound SDP directly to WebRTCManager.HandleSourceOffer, which uses pion/webrtc to negotiate a peer connection and accept whatever Opus/H.264 tracks the peer publishes. This is a textbook CWE-306 (Missing Authentication for Critical Function): a security-relevant operation reachable without any credential check, in this case because a new ingest path was added without porting the per-mount password gate that protects the equivalent legacy paths.

RemediationAI

Vendor-released patch: upgrade to TinyIce v2.5.0 or later (release at https://github.com/DatanoiseTV/tinyice/releases/tag/v2.5.0), which adds Basic-auth/password-query enforcement, bcrypt comparison, brute-force rate-limiting, and disabled_mounts checks to handleWebRTCSourceOffer (commit https://github.com/DatanoiseTV/tinyice/commit/8067d6b). If immediate upgrade is impossible, block POST /webrtc/source-offer at the reverse proxy in front of TinyIce - the advisory notes this endpoint has no production use for clients outside the operator's own admin UI, so blocking it only breaks the browser-based go-live feature and leaves listener/source paths intact. As a broader compensating control, restrict the TinyIce HTTP port to a trusted network (VPN or internal LAN) and front public listener access with a separately firewalled CDN, accepting that browser go-live ingestion will no longer work from the public internet. After patching, rotate per-mount source passwords and default_source_password since they may have been observed by anyone with network access who probed the endpoint.

Share

CVE-2026-45327 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy