PT-2026-42801 · Sunshine · Sunshine
Sangwon090
·
Published
2026-05-22
·
Updated
2026-05-22
·
CVE-2026-32253
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Sunshine versions prior to 2026.516.143833
Description
Client-certificate authentication can be bypassed due to improper handling of OpenSSL verification results. In the
src/crypto.cpp file, the custom verify callback incorrectly treats X509 V ERR UNABLE TO GET ISSUER CERT LOCALLY, X509 V ERR CERT NOT YET VALID, and X509 V ERR CERT HAS EXPIRED as successful outcomes. This allows untrusted certificates to pass authentication and gain access to protected HTTPS endpoints.Recommendations
Update to version 2026.516.143833.
Exploit
Fix
Improper Authentication
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Sunshine