PT-2026-41774 · Tinyice · Tinyice

Published

2026-05-18

·

Updated

2026-06-25

·

CVE-2026-45327

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Name of the Vulnerable Software and Affected Versions TinyIce versions 0.8.95 through 2.4.1
Description TinyIce is a streaming server for audio and video. A missing authentication check on the WebRTC ingest endpoint 'POST /webrtc/source-offer?mount=' allows unauthenticated users to inject streams. The handler routes offers to WebRTCManager.HandleSourceOffer, which accepts any published audio or video tracks and broadcasts them on the specified mount. This allows a network attacker to replace a legitimate broadcast with arbitrary content. Additionally, the endpoint 'POST /admin/golive/chunk' previously failed to verify the session user's per-mount access and did not check the CSRF (Cross-Site Request Forgery) token, which is a technique where an attacker tricks a user into performing actions they did not intend.
Recommendations Update to version 2.5.0 or later. As a temporary workaround, block 'POST /webrtc/source-offer' at the reverse proxy or restrict the HTTP port to a trusted network.

Exploit

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45327
GHSA-P7C4-8X34-8J8F
GO-2026-5534

Affected Products

Tinyice