PT-2026-42801 · Sunshine · Sunshine

Sangwon090

·

Published

2026-05-22

·

Updated

2026-05-22

·

CVE-2026-32253

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Sunshine versions prior to 2026.516.143833
Description Client-certificate authentication can be bypassed due to improper handling of OpenSSL verification results. In the src/crypto.cpp file, the custom verify callback incorrectly treats X509 V ERR UNABLE TO GET ISSUER CERT LOCALLY, X509 V ERR CERT NOT YET VALID, and X509 V ERR CERT HAS EXPIRED as successful outcomes. This allows untrusted certificates to pass authentication and gain access to protected HTTPS endpoints.
Recommendations Update to version 2026.516.143833.

Exploit

Fix

Improper Authentication

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-32253
GHSA-PH75-MGXH-MV57

Affected Products

Sunshine