Description
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833.
Published: 2026-05-22
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Sunshine allows an attacker to bypass client- certificate authentication by exploiting a flawed OpenSSL verification callback that treats several certificate errors as success. The flaw can let an untrusted or rogue certificate pass validation and grant access to protected HTTPS endpoints, potentially exposing sensitive data or enabling further compromise of the host server.

Affected Systems

All deployed instances of LizardByte Sunshine that are running versions older than v2026.516.143833, the self‑hosted game‑stream server that serves Moonlight clients.

Risk and Exploitability

The issue carries a CVSS score of 9.8, indicating a very high impact if exploited. No EPSS score is currently available, but the vulnerability is not listed in the CISA KEV catalog. An attacker can remotely connect to the Sunshine HTTPS service with a crafted client certificate; because the server inadvertently accepts the certificate, the attacker can authenticate and exercise full control of the restricted endpoints. The vulnerability remains exploitable until the software is updated to v2026.516.143833 or later, where proper certificate validation is restored.

Generated by OpenCVE AI on May 22, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sunshine to version 2026.516.143833 or newer, which corrects the certificate validation logic.
  • If an update cannot be applied immediately, disable client‑certificate authentication or block inbound HTTPS traffic to Sunshine until the patch is deployed.
  • After remediation, monitor Sunshine logs for unexpected client connections and ensure certificate policies are enforced consistently across the network.

Generated by OpenCVE AI on May 22, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Lizardbyte
Lizardbyte sunshine
Vendors & Products Lizardbyte
Lizardbyte sunshine

Fri, 22 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833.
Title Sunshine: Authentication bypass via improper client certificate validation
Weaknesses CWE-287
CWE-295
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Lizardbyte Sunshine
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-22T17:07:04.619Z

Reserved: 2026-03-11T14:47:05.686Z

Link: CVE-2026-32253

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T19:30:43Z

Weaknesses