PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32253 LizardByte CVE debrief

Sunshine is a self-hosted game streaming host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication mechanism can be bypassed due to improper handling of OpenSSL verification results in src/crypto.cpp. The custom verify callback incorrectly treats three specific OpenSSL error conditions as successful verification: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (unable to locate issuer certificate locally), X509_V_ERR_CERT_NOT_YET_VALID (certificate not yet valid), and X509_V_ERR_CERT_HAS_EXPIRED (certificate has expired). This logic flaw allows an attacker presenting an untrusted, expired, or not-yet-valid certificate to pass authentication and gain access to protected HTTPS endpoints. The vulnerability has been assigned a CVSS 3.1 score of 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network-based exploitation with low complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. The issue was published on 2026-05-22 and last modified on 2026-05-26. It has been remediated in version 2026.516.143833. No known exploitation in ransomware campaigns has been reported.

Vendor
LizardByte
Product
Sunshine
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-22
Original CVE updated
2026-05-26
Advisory published
2026-05-22
Advisory updated
2026-05-26

Who should care

Organizations and individuals operating Sunshine game streaming servers with client-certificate authentication enabled, particularly those exposing HTTPS endpoints to the internet or untrusted networks. Security teams responsible for application security in self-hosted media and gaming infrastructure should prioritize patching due to the critical severity and network-exploitable nature of this vulnerability.

Technical summary

The vulnerability exists in src/crypto.cpp where a custom certificate verification callback function processes OpenSSL verification results. The callback returns success (1) for three specific error codes that should indicate verification failure: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (error code 20), X509_V_ERR_CERT_NOT_YET_VALID (error code 9), and X509_V_ERR_CERT_HAS_EXPIRED (error code 10). This implementation error subverts the certificate chain validation, allowing attackers to authenticate with certificates that fail standard X.509 validation checks. The affected HTTPS endpoints rely on this broken verification for client authentication, resulting in complete authentication bypass. The fix in version 2026.516.143833 corrects the verification callback logic to properly reject certificates with these error conditions.

Defensive priority

critical

Recommended defensive actions

  • Upgrade Sunshine to version 2026.516.143833 or later to remediate the authentication bypass vulnerability.
  • If immediate patching is not feasible, consider disabling client-certificate authentication and implementing alternative authentication mechanisms such as strong password-based authentication with multi-factor auth
  • Review access controls to ensure HTTPS endpoints are not exposed to untrusted networks where possible.
  • Monitor authentication logs for anomalous certificate-based access attempts that may indicate exploitation attempts.
  • Verify that any reverse proxy or TLS termination layer in front of Sunshine performs proper certificate validation independently of the application.

Evidence notes

Vulnerability description derived from NVD record and GitHub Security Advisory GHSA-ph75-mgxh-mv57. Affected versions confirmed via CPE criteria: cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:* with versionEndExcluding 2026.516.143833. CVSS vector and weaknesses (CWE-287, CWE-295) sourced from NVD enrichment data.

Official resources

2026-05-22T17:16:46.393Z