PT-2026-41774 · Tinyice · Tinyice
Published
2026-05-18
·
Updated
2026-06-25
·
CVE-2026-45327
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
TinyIce versions 0.8.95 through 2.4.1
Description
TinyIce is a streaming server for audio and video. A missing authentication check on the WebRTC ingest endpoint 'POST /webrtc/source-offer?mount=' allows unauthenticated users to inject streams. The handler routes offers to
WebRTCManager.HandleSourceOffer, which accepts any published audio or video tracks and broadcasts them on the specified mount. This allows a network attacker to replace a legitimate broadcast with arbitrary content. Additionally, the endpoint 'POST /admin/golive/chunk' previously failed to verify the session user's per-mount access and did not check the CSRF (Cross-Site Request Forgery) token, which is a technique where an attacker tricks a user into performing actions they did not intend.Recommendations
Update to version 2.5.0 or later.
As a temporary workaround, block 'POST /webrtc/source-offer' at the reverse proxy or restrict the HTTP port to a trusted network.
Exploit
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tinyice