CVE-2026-32253
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2026-05-22

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-22
Last Modified
2026-05-26
Generated
2026-06-15
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32253
EUVD
EUVD-2026-31469
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lizardbyte sunshine to 2026.516.143833 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
AI Quick Actions have not been generated yet.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32253. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart