Vulnerability-Lookup

CVE-2026-45327 (GCVE-0-2026-45327)

Vulnerability from cvelistv5 – Published: 2026-06-05 16:57 – Updated: 2026-06-05 19:07

Title

TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection

Summary

TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a `?password=` query parameter, comparing the supplied password against the per-mount source password (or the `default_source_password` fallback) using bcrypt, hooking into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout), and rejecting requests for mounts in `disabled_mounts`. The same release also tightens an adjacent endpoint, `POST /admin/golive/chunk`, which previously required session authentication but did not verify the session user's per-mount access nor check the CSRF token.

Severity

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-306 - Missing Authentication for Critical Function

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/DatanoiseTV/tinyice/security/a…	x_refsource_CONFIRM
https://github.com/DatanoiseTV/tinyice/commit/8067d6b	x_refsource_MISC
https://github.com/DatanoiseTV/tinyice/releases/t…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
DatanoiseTV	tinyice	Affected: >= 0.8.95, < 2.5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45327",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-05T19:07:18.738670Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-05T19:07:26.982Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "tinyice",
          "vendor": "DatanoiseTV",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.8.95, \u003c 2.5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a `?password=` query parameter, comparing the supplied password against the per-mount source password (or the `default_source_password` fallback) using bcrypt, hooking into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout), and rejecting requests for mounts in `disabled_mounts`. The same release also tightens an adjacent endpoint, `POST /admin/golive/chunk`, which previously required session authentication but did not verify the session user\u0027s per-mount access nor check the CSRF token."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-05T16:57:52.612Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/DatanoiseTV/tinyice/security/advisories/GHSA-p7c4-8x34-8j8f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/DatanoiseTV/tinyice/security/advisories/GHSA-p7c4-8x34-8j8f"
        },
        {
          "name": "https://github.com/DatanoiseTV/tinyice/commit/8067d6b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/DatanoiseTV/tinyice/commit/8067d6b"
        },
        {
          "name": "https://github.com/DatanoiseTV/tinyice/releases/tag/v2.5.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/DatanoiseTV/tinyice/releases/tag/v2.5.0"
        }
      ],
      "source": {
        "advisory": "GHSA-p7c4-8x34-8j8f",
        "discovery": "UNKNOWN"
      },
      "title": "TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45327",
    "datePublished": "2026-06-05T16:57:52.612Z",
    "dateReserved": "2026-05-11T20:50:30.539Z",
    "dateUpdated": "2026-06-05T19:07:26.982Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45327",
      "date": "2026-06-08",
      "epss": "0.00071",
      "percentile": "0.21718"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45327\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-05T18:17:27.220\",\"lastModified\":\"2026-06-05T19:02:13.790\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a `?password=` query parameter, comparing the supplied password against the per-mount source password (or the `default_source_password` fallback) using bcrypt, hooking into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout), and rejecting requests for mounts in `disabled_mounts`. The same release also tightens an adjacent endpoint, `POST /admin/golive/chunk`, which previously required session authentication but did not verify the session user\u0027s per-mount access nor check the CSRF token.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"references\":[{\"url\":\"https://github.com/DatanoiseTV/tinyice/commit/8067d6b\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/DatanoiseTV/tinyice/releases/tag/v2.5.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/DatanoiseTV/tinyice/security/advisories/GHSA-p7c4-8x34-8j8f\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45327\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-05T19:07:18.738670Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-05T19:07:22.107Z\"}}], \"cna\": {\"title\": \"TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection\", \"source\": {\"advisory\": \"GHSA-p7c4-8x34-8j8f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"DatanoiseTV\", \"product\": \"tinyice\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.8.95, \u003c 2.5.0\"}]}], \"references\": [{\"url\": \"https://github.com/DatanoiseTV/tinyice/security/advisories/GHSA-p7c4-8x34-8j8f\", \"name\": \"https://github.com/DatanoiseTV/tinyice/security/advisories/GHSA-p7c4-8x34-8j8f\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/DatanoiseTV/tinyice/commit/8067d6b\", \"name\": \"https://github.com/DatanoiseTV/tinyice/commit/8067d6b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/DatanoiseTV/tinyice/releases/tag/v2.5.0\", \"name\": \"https://github.com/DatanoiseTV/tinyice/releases/tag/v2.5.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a `?password=` query parameter, comparing the supplied password against the per-mount source password (or the `default_source_password` fallback) using bcrypt, hooking into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout), and rejecting requests for mounts in `disabled_mounts`. The same release also tightens an adjacent endpoint, `POST /admin/golive/chunk`, which previously required session authentication but did not verify the session user\u0027s per-mount access nor check the CSRF token.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306: Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-05T16:57:52.612Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-45327\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-05T19:07:26.982Z\", \"dateReserved\": \"2026-05-11T20:50:30.539Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-05T16:57:52.612Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-45327

Vulnerability from fkie_nvd - Published: 2026-06-05 18:17 - Updated: 2026-06-05 19:02

Severity

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/DatanoiseTV/tinyice/commit/8067d6b
	security-advisories@github.com	https://github.com/DatanoiseTV/tinyice/releases/tag/v2.5.0
	security-advisories@github.com	https://github.com/DatanoiseTV/tinyice/security/advisories/GHSA-p7c4-8x34-8j8f

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a `?password=` query parameter, comparing the supplied password against the per-mount source password (or the `default_source_password` fallback) using bcrypt, hooking into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout), and rejecting requests for mounts in `disabled_mounts`. The same release also tightens an adjacent endpoint, `POST /admin/golive/chunk`, which previously required session authentication but did not verify the session user\u0027s per-mount access nor check the CSRF token."
    }
  ],
  "id": "CVE-2026-45327",
  "lastModified": "2026-06-05T19:02:13.790",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-05T18:17:27.220",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DatanoiseTV/tinyice/commit/8067d6b"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DatanoiseTV/tinyice/releases/tag/v2.5.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DatanoiseTV/tinyice/security/advisories/GHSA-p7c4-8x34-8j8f"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-P7C4-8X34-8J8F

Vulnerability from github – Published: 2026-05-18 17:20 – Updated: 2026-05-18 17:20

Summary

TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection

Details

Title

Missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection in TinyIce

Ecosystem / Package

Ecosystem: Go (or "Other" — TinyIce is shipped as a Go binary, not a Go module published to a registry)
Package name: github.com/DatanoiseTV/tinyice

Affected versions

>= 0.8.95, <= 2.4.1

(Introduced 2026-02-21 in commit e2b60d6 — "debug: add Go Live connection tracing and backend data flow logging" — when handleWebRTCSourceOffer was registered at /webrtc/source-offer without an authentication check. Every tagged release from v0.8.95 through v2.4.1 ships the vulnerable handler.)

Patched versions

>= 2.5.0

Severity

CVSS 3.1 base score: 7.4 (High)
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
CWE: CWE-306: Missing Authentication for Critical Function

Description

TinyIce's WebRTC source-ingest HTTP endpoint, POST /webrtc/source-offer?mount=<mount>, accepted any inbound WebRTC SDP offer with no authentication check. The handler routed the offer to WebRTCManager.HandleSourceOffer, which then accepted whatever audio/video tracks the peer published and broadcast them on the named mount as if they were the legitimate source.

The other ingest paths (POST /<mount> over HTTP/1 with the icecast SOURCE / PUT verb, RTMP, SRT) all require the per-mount source password, falling back to default_source_password from the config. The WebRTC ingest path didn't.

Impact

A network attacker who can reach the TinyIce HTTP port can:

Identify a target mount (mount names are public — they appear in the directory listing, the player URL, and the YP listing).
Negotiate a WebRTC peer connection with the server.
Publish arbitrary Opus / H.264 to that mount.
Have it broadcast to every listener on the mount.

This is a high-integrity-impact issue: an attacker can replace a radio's broadcast with their own audio (silence, noise, malicious content, branded competitor content, etc.). Listeners hear what the attacker sends, not what the legitimate publisher intended.

The legitimate publisher can re-establish their session — TinyIce's source-takeover handshake gives the new offer priority once it arrives, with a 3-second drain of the previous pump goroutine — but the attacker can in principle re-connect immediately after, producing a sustained broadcast hijack until the operator manually intervenes (block at firewall, rotate source passwords once the patch is applied, restart the service).

There is no direct confidentiality impact through this endpoint: the attacker doesn't gain access to listener data or other mounts' content.

Workarounds

If users cannot upgrade immediately:

Recommended: block POST /webrtc/source-offer at the reverse proxy in front of TinyIce. The endpoint has no production use case for clients outside the operator's own administration — disabling it loses no functionality unless the consuming application specifically use the browser-based "go-live" feature.
Restrict TinyIce's HTTP port to a trusted network (VPN, internal LAN). Listener access can still be served via a separately-firewalled CDN if the application needs public listening.

Detection

To check whether an application's deployment is exposed, run from outside the network:

curl -i -X POST 'https://your-tinyice-host/webrtc/source-offer?mount=/anymount' \
  -H 'Content-Type: application/json' \
  -d '{"type":"offer","sdp":"v=0\r\n"}'

If the response is 400 Bad Request with a JSON body containing an SDP-parsing error from pion/webrtc, a consuming application is vulnerable — the server tried to negotiate the (malformed) offer without asking for credentials.
If the response is 401 Unauthorized (Basic auth challenge), the consuming application has been patched.

Authenticated log lines on a patched server will look like:

WARN  Authentication failed for user 'webrtc-source' from 1.2.3.4: invalid source password

Fix

Upstream commit: 8067d6b "fix(api): require source password on /webrtc/source-offer + CSRF/access on /go-live-chunk".

The handler now:

Requires either HTTP Basic auth or a ?password= query parameter.
Compares the supplied password against the per-mount source password (or the default_source_password fallback) using bcrypt.
Hooks into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout).
Rejects requests for mounts in disabled_mounts.

The same release also tightens an adjacent endpoint, POST /admin/golive/chunk, which previously required session authentication but did not verify the session user's per-mount access nor check the CSRF token.

Timeline

2026-02-21 — Vulnerable handler introduced (e2b60d6).
2026-05-09 — Vulnerability identified during a maintainer-led audit.
2026-05-09 — Patched in commit 8067d6b, released as v2.5.0.
2026-05-09 — GitHub Security Advisory published, CVE assigned.

Severity

8.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.4.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/DatanoiseTV/tinyice"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.95"
            },
            {
              "fixed": "2.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45327"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T17:20:17Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Title\n\nMissing authentication on WebRTC ingest endpoint allows unauthenticated stream injection in TinyIce\n\n## Ecosystem / Package\n\n- **Ecosystem:** `Go` (or \"Other\" \u2014 TinyIce is shipped as a Go binary, not a Go module published to a registry)\n- **Package name:** `github.com/DatanoiseTV/tinyice`\n\n## Affected versions\n\n```\n\u003e= 0.8.95, \u003c= 2.4.1\n```\n\n(Introduced 2026-02-21 in commit `e2b60d6` \u2014 \"debug: add Go Live connection tracing and backend data flow logging\" \u2014 when `handleWebRTCSourceOffer` was registered at `/webrtc/source-offer` without an authentication check. Every tagged release from `v0.8.95` through `v2.4.1` ships the vulnerable handler.)\n\n## Patched versions\n\n```\n\u003e= 2.5.0\n```\n\n## Severity\n\n- **CVSS 3.1 base score:** 7.4 (High)\n- **CVSS vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L`\n- **CWE:** [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)\n\n## Description\n\nTinyIce\u0027s WebRTC source-ingest HTTP endpoint, `POST /webrtc/source-offer?mount=\u003cmount\u003e`, accepted any inbound WebRTC SDP offer with no authentication check. The handler routed the offer to `WebRTCManager.HandleSourceOffer`, which then accepted whatever audio/video tracks the peer published and broadcast them on the named mount as if they were the legitimate source.\n\nThe other ingest paths (`POST /\u003cmount\u003e` over HTTP/1 with the icecast `SOURCE` / `PUT` verb, RTMP, SRT) all require the per-mount source password, falling back to `default_source_password` from the config. The WebRTC ingest path didn\u0027t.\n\n## Impact\n\nA network attacker who can reach the TinyIce HTTP port can:\n\n1. Identify a target mount (mount names are public \u2014 they appear in the directory listing, the player URL, and the YP listing).\n2. Negotiate a WebRTC peer connection with the server.\n3. Publish arbitrary Opus / H.264 to that mount.\n4. Have it broadcast to every listener on the mount.\n\nThis is a high-integrity-impact issue: an attacker can replace a radio\u0027s broadcast with their own audio (silence, noise, malicious content, branded competitor content, etc.). Listeners hear what the attacker sends, not what the legitimate publisher intended.\n\nThe legitimate publisher can re-establish their session \u2014 TinyIce\u0027s source-takeover handshake gives the new offer priority once it arrives, with a 3-second drain of the previous pump goroutine \u2014 but the attacker can in principle re-connect immediately after, producing a sustained broadcast hijack until the operator manually intervenes (block at firewall, rotate source passwords once the patch is applied, restart the service).\n\nThere is no direct confidentiality impact through this endpoint: the attacker doesn\u0027t gain access to listener data or other mounts\u0027 content.\n\n## Workarounds\n\nIf users cannot upgrade immediately:\n\n- **Recommended:** block `POST /webrtc/source-offer` at the reverse proxy in front of TinyIce. The endpoint has no production use case for clients outside the operator\u0027s own administration \u2014 disabling it loses no functionality unless the consuming application specifically use the browser-based \"go-live\" feature.\n- Restrict TinyIce\u0027s HTTP port to a trusted network (VPN, internal LAN). Listener access can still be served via a separately-firewalled CDN if the application needs public listening.\n\n## Detection\n\nTo check whether an application\u0027s deployment is exposed, run from outside the network:\n\n```\ncurl -i -X POST \u0027https://your-tinyice-host/webrtc/source-offer?mount=/anymount\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"type\":\"offer\",\"sdp\":\"v=0\\r\\n\"}\u0027\n```\n\n- If the response is `400 Bad Request` with a JSON body containing an SDP-parsing error from `pion/webrtc`, **a consuming application is vulnerable** \u2014 the server tried to negotiate the (malformed) offer without asking for credentials.\n- If the response is `401 Unauthorized` (Basic auth challenge), the consuming application has been patched.\n\nAuthenticated log lines on a patched server will look like:\n\n```\nWARN  Authentication failed for user \u0027webrtc-source\u0027 from 1.2.3.4: invalid source password\n```\n\n## Fix\n\nUpstream commit: [`8067d6b`](https://github.com/DatanoiseTV/tinyice/commit/8067d6b) \"fix(api): require source password on /webrtc/source-offer + CSRF/access on /go-live-chunk\".\n\nThe handler now:\n\n1. Requires either HTTP Basic auth or a `?password=` query parameter.\n2. Compares the supplied password against the per-mount source password (or the `default_source_password` fallback) using bcrypt.\n3. Hooks into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout).\n4. Rejects requests for mounts in `disabled_mounts`.\n\nThe same release also tightens an adjacent endpoint, `POST /admin/golive/chunk`, which previously required session authentication but did not verify the session user\u0027s per-mount access nor check the CSRF token.\n\n## Timeline\n\n- 2026-02-21 \u2014 Vulnerable handler introduced (`e2b60d6`).\n- 2026-05-09 \u2014 Vulnerability identified during a maintainer-led audit.\n- 2026-05-09 \u2014 Patched in commit `8067d6b`, released as `v2.5.0`.\n- 2026-05-09 \u2014 GitHub Security Advisory published, CVE assigned.",
  "id": "GHSA-p7c4-8x34-8j8f",
  "modified": "2026-05-18T17:20:17Z",
  "published": "2026-05-18T17:20:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DatanoiseTV/tinyice/security/advisories/GHSA-p7c4-8x34-8j8f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DatanoiseTV/tinyice/commit/8067d6b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DatanoiseTV/tinyice"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DatanoiseTV/tinyice/releases/tag/v2.5.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-45327 (GCVE-0-2026-45327)

FKIE_CVE-2026-45327

GHSA-P7C4-8X34-8J8F

Title

Ecosystem / Package

Affected versions

Patched versions

Severity

Description

Impact

Workarounds

Detection

Fix

Timeline

Tags

Sightings

Nomenclature