CVE-2026-45327
Deferred Deferred - Pending Action
Unauthenticated WebRTC Stream Injection in TinyIce

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: GitHub, Inc.

Description
TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a `?password=` query parameter, comparing the supplied password against the per-mount source password (or the `default_source_password` fallback) using bcrypt, hooking into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout), and rejecting requests for mounts in `disabled_mounts`. The same release also tightens an adjacent endpoint, `POST /admin/golive/chunk`, which previously required session authentication but did not verify the session user's per-mount access nor check the CSRF token.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2026-45327
EUVD
EUVD-2026-34863
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
datanoisetv tinyice From 0.8.95 (inc) to 2.4.1 (inc)
datanoisetv tinyice 2.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in TinyIce allows unauthenticated stream injection, which can lead to unauthorized modification of streaming content (integrity) and disruption of service (availability). While there is no direct confidentiality impact, the ability for an attacker to hijack streams could potentially violate compliance requirements related to data integrity and availability under standards like GDPR and HIPAA.

Specifically, GDPR and HIPAA emphasize protecting data integrity and availability to ensure trustworthiness and reliability of data processing systems. This vulnerability undermines these principles by allowing unauthorized users to inject arbitrary audio/video streams, potentially causing misinformation or service disruption.

Operators using affected versions should upgrade to version 2.5.0 or later, which enforces authentication and rate limiting, to mitigate risks and better align with compliance requirements.

Executive Summary

CVE-2026-45327 is a vulnerability in TinyIce, a Go-based WebRTC streaming server, affecting versions 0.8.95 through 2.4.1. The issue is that the WebRTC ingest endpoint (/webrtc/source-offer) lacks authentication, allowing any unauthenticated user to inject arbitrary audio or video streams into any mount point.

This means an attacker can connect to the server and publish their own audio/video streams, effectively hijacking the broadcast for all listeners on that mount. Although the legitimate source can regain control, attackers may quickly re-establish the hijack.

The vulnerability was fixed in version 2.5.0 by adding authentication via HTTP Basic auth or a password query parameter, integrating brute-force IP rate limiting, and rejecting requests for disabled mounts.

Impact Analysis

This vulnerability can impact you by allowing attackers to hijack your audio or video streams on the TinyIce server without authentication.

  • Attackers can inject arbitrary streams, replacing legitimate broadcasts and disrupting service availability.
  • The integrity of your broadcast content is compromised since unauthorized content can be streamed to your audience.
  • Although confidentiality is not directly affected, the disruption and manipulation of streams can cause significant operational and reputational damage.

Mitigation involves upgrading to version 2.5.0 or later, which enforces authentication and rate limiting to prevent unauthorized stream injection.

Detection Guidance

This vulnerability can be detected by testing the WebRTC ingest endpoint with a crafted request. A vulnerable TinyIce server will accept a request to the /webrtc/source-offer endpoint without requiring authentication, while a patched server will respond with a 401 Unauthorized error.

For example, you can use a command like the following to test the endpoint:

  • curl -X POST "http://<server-address>/webrtc/source-offer?mount=<mount>" -d '<SDP payload>' -v

If the server accepts the request without authentication, it is vulnerable. If it responds with 401 Unauthorized, it is patched.

Mitigation Strategies

Immediate mitigation steps include upgrading TinyIce to version 2.5.0 or later, which fixes the vulnerability by adding authentication requirements on the WebRTC ingest endpoint.

Additionally, you should rotate per-mount source passwords to prevent unauthorized access using previously compromised credentials.

As a temporary workaround before upgrading, you can block access to the vulnerable endpoint (/webrtc/source-offer) at a reverse proxy or firewall, or restrict access to trusted networks only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45327. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart