CVE-2026-45327 DatanoiseTV CVE debrief

Who should care

Users of TinyIce streaming server versions 0.8.95 through 2.4.1 should apply the patch in version 2.5.0 to prevent unauthenticated stream injection.

Technical summary

TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, the WebRTC ingest endpoint lacks authentication, allowing unauthenticated stream injection. Version 2.5.0 addresses this by requiring authentication through either HTTP Basic auth or a `?password=` query parameter. The supplied password is compared against the per-mount source password (or the `default_source_password` fallback) using bcrypt. Additionally, the fix integrates with an existing brute-force IP rate-limiter, which locks out an IP after 5 failed attempts within 15 minutes. Requests for mounts in `disabled_mounts` are also rejected.

Defensive priority

HIGH

Recommended defensive actions

• Apply the patch in TinyIce version 2.5.0 to enable authentication for the WebRTC ingest endpoint.
• Use either HTTP Basic auth or the `?password=` query parameter for authentication.
• Ensure that the per-mount source password or `default_source_password` is securely configured.
• Review and adjust the IP rate-limiter settings as needed.
• Verify that mounts listed in `disabled_mounts` are not inadvertently exposed.

Evidence notes

The CVE-2026-45327 vulnerability has a CVSS score of 8.2 and is classified as HIGH severity. The vulnerability was published on 2026-06-05T18:17:27.220Z and last modified on 2026-06-05T19:02:13.790Z.

Official resources