CRITICAL
LizardByte
CVE published 2026-05-22
CVE-2026-32253
Sunshine is a self-hosted game streaming host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication mechanism can be bypassed due to improper handling of OpenSSL verification results in src/crypto.cpp. The custom verify callback incorrectly treats three specific OpenSSL error conditions as successful verification: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (unable to [truncated]