Description
TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a `?password=` query parameter, comparing the supplied password against the per-mount source password (or the `default_source_password` fallback) using bcrypt, hooking into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout), and rejecting requests for mounts in `disabled_mounts`. The same release also tightens an adjacent endpoint, `POST /admin/golive/chunk`, which previously required session authentication but did not verify the session user's per-mount access nor check the CSRF token.
Published: 2026-06-05
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1 a missing authentication check on the WebRTC ingest endpoint allows any user to submit a stream to any mount point without credentials. An attacker could inject malicious or unwanted content, potentially affecting streaming integrity, misrepresenting broadcast material, or overwhelming the server with spoofed streams, which can degrade service availability.

Affected Systems

The vulnerability affects deployments of TinyIce version 0.8.95 up to 2.4.1 from the vendor DatanoiseTV. Any installation that has the ready‑to‑use WebRTC ingest endpoint enabled and no additional authentication will be susceptible. Version 2.5.0 and later include mandatory authentication via HTTP Basic or a password query string and enforce bcrypt verification along with the existing brute‑force IP rate limiter.

Risk and Exploitability

The CVSS base score is 8.2, indicating high severity. Because no EPSS score is reported, the current likelihood of exploitation cannot be assessed, and the vulnerability is not listed in the CISA KEV catalog. Attackers could exploit the missing authentication over the network, assuming unrestricted connectivity to the ingest port, and the patch relies on the installation of v2.5.0 or later to mitigate the flaw.

Generated by OpenCVE AI on June 5, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TinyIce to version 2.5.0 or later to enforce authentication on the WebRTC ingest endpoint and address related admin endpoint weaknesses.
  • After the upgrade, verify that each mount’s source password or the default_source_password is set to a strong unique value and that disabled_mounts is correctly configured to prevent unintended streams.
  • Restrict network access to the ingest endpoint using firewalls or access controls, or disable WebRTC ingest for mounts that do not require public streaming.

Generated by OpenCVE AI on June 5, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p7c4-8x34-8j8f TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection
History

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a `?password=` query parameter, comparing the supplied password against the per-mount source password (or the `default_source_password` fallback) using bcrypt, hooking into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout), and rejecting requests for mounts in `disabled_mounts`. The same release also tightens an adjacent endpoint, `POST /admin/golive/chunk`, which previously required session authentication but did not verify the session user's per-mount access nor check the CSRF token.
Title TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T19:07:26.982Z

Reserved: 2026-05-11T20:50:30.539Z

Link: CVE-2026-45327

cve-icon Vulnrichment

Updated: 2026-06-05T19:07:22.107Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T18:17:27.220

Modified: 2026-06-05T19:02:13.790

Link: CVE-2026-45327

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T18:45:06Z

Weaknesses