{"id":"CVE-2026-32253","summary":"Sunshine: Authentication bypass via improper client certificate validation","details":"Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833.","aliases":["GHSA-ph75-mgxh-mv57"],"modified":"2026-07-08T08:12:46.877095369Z","published":"2026-05-22T17:07:04.619Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32253.json","cwe_ids":["CWE-287","CWE-295"]},"references":[{"type":"WEB","url":"https://github.com/LizardByte/Sunshine/releases/tag/v2026.516.143833"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32253.json"},{"type":"ADVISORY","url":"https://github.com/LizardByte/Sunshine/security/advisories/GHSA-ph75-mgxh-mv57"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32253"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lizardbyte/sunshine","events":[{"introduced":"0"},{"fixed":"14ffa6fdaa53f7b51512be2b3d24f3939695403c"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"2026.516.143833"}],"cpe":"cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*"}}],"versions":["v2026.516.30826","v2026.515.151803","v2026.513.230134","v2026.508.45922","v2026.507.123453","v2026.409.171120","v2026.408.194927","v2026.331.130344","v2026.331.21700","v2026.314.25625","v2026.311.154809","v2026.310.23228","v2026.302.133823","v2026.228.232233","v2026.228.25700","v2026.226.41312","v2026.225.33545","v2026.224.134041","v2026.223.155824","v2026.222.224531","v2026.221.41532","v2026.220.22826","v2026.218.44016","v2026.215.224211","v2026.214.224301","v2026.214.30634","v2026.213.34323","v2026.211.162838","v2026.211.25443","v2026.209.34151","v2026.208.203040","v2026.206.151412","v2026.204.180221","v2026.203.160441","v2026.121.232953","v2026.121.33416","v2025.924.154138","v2025.923.33222","v2025.628.4510","v2025.122.141614","v2025.118.151840","v0.11.1","v0.11.0","v0.10.0","v0.9.0","v0.8.0","v0.4.0","v0.3.1","v0.3.0","v0.2.0","v0.1.1","v0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32253.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}