Nixpkgs security tracker
Permalink
CVE-2026-32253
9.8 CRITICAL
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
Sunshine: Authentication bypass via improper client certificate validation
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833.
References
-
https://github.com/LizardByte/Sunshine/security/advisories/GHSA-ph75-mgxh-mv57 x_refsource_CONFIRM
-
https://github.com/LizardByte/Sunshine/releases/tag/v2026.516.143833 x_refsource_MISC
Affected products
Sunshine
- ==< 2026.516.143833
Matching in nixpkgs
pkgs.sunshine
Game stream host for Moonlight
-
nixos-unstable 2025.924.154138
- nixpkgs-unstable 2025.924.154138
- nixos-unstable-small 2025.924.154138
-
nixos-25.11 2025.924.154138
- nixos-25.11-small 2025.924.154138
- nixpkgs-25.11-darwin 2025.924.154138
Package maintainers
-
@honnip Jung seungwoo <me@honnip.page>
-
@devusb Morgan Helton <mhelton@devusb.us>
-
@ap-1 Anish Pallati <i@anish.land>