Description
Elixir WebRTC is an Elixir implementation of the W3C WebRTC API. Prior to 0.15.1 and 0.16.1, missing DTLS peer certificate fingerprint validation in the DTLS client (active) role removes one side of WebRTC's mutual authentication. The bug is not independently exploitable for media interception in standard deployments, but enables a full man-in-the-middle attack when chained with insecure signalling or a peer with similar validation gaps. This vulnerability is fixed in 0.15.1 and 0.16.1.
Published: 2026-05-14
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Elixir WebRTC’s DTLS client (active) handshake fails to verify the peer’s certificate fingerprint, removing one half of WebRTC’s mutual authentication. While this flaw alone does not allow media interception in standard deployments, it enables a full man-in-the-middle compromise when combined with insecure signalling or a peer that shares similar validation gaps. The vulnerability therefore undermines confidentiality and trust of WebRTC communications.

Affected Systems

The issue affects the elixir-webrtc ex_webrtc library in any release prior to version 0.15.1 and before 0.16.1. No other products or vendor versions are listed as impacted.

Risk and Exploitability

A CVSS score of 8.7 indicates a high severity risk. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector requires an attacker who can participate in the DTLS handshake and also control or tamper with the signalling channel, such as through a malicious relay or by compromising a signalling peer. Under those conditions the attacker can intercept or alter media streams by posing as either side of the connection.

Generated by OpenCVE AI on May 14, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ex_webrtc library to version 0.15.1 or later, which includes DTLS fingerprint validation.
  • Verify in your application configuration that DTLS fingerprint validation is enabled for all peer connections.
  • Use a secure signalling channel (e.g., TLS or authenticated WebSocket) to prevent attackers from altering the signalling messages and to reduce the ability to inject a malicious peer.

Generated by OpenCVE AI on May 14, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qwfw-ggxw-577c ex_webrtc client-role handshake is missing DTLS peer fingerprint validation
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description Elixir WebRTC is an Elixir implementation of the W3C WebRTC API. Prior to 0.15.1 and 0.16.1, missing DTLS peer certificate fingerprint validation in the DTLS client (active) role removes one side of WebRTC's mutual authentication. The bug is not independently exploitable for media interception in standard deployments, but enables a full man-in-the-middle attack when chained with insecure signalling or a peer with similar validation gaps. This vulnerability is fixed in 0.15.1 and 0.16.1.
Title Elixir WebRTC: Missing DTLS peer fingerprint validation in ex_webrtc client-role handshake
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T11:22:24.715Z

Reserved: 2026-05-07T17:07:09.317Z

Link: CVE-2026-44700

cve-icon Vulnrichment

Updated: 2026-05-15T11:22:19.343Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T21:16:47.907

Modified: 2026-05-15T14:53:48.823

Link: CVE-2026-44700

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T23:00:13Z

Weaknesses