HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45327Published Modified CNA GitHub_M

CVE-2026-45327: TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection

TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a `?password=` query parameter, comparing the supplied password against the per-mount source password (or the `default_source_password` fallback) using bcrypt, hooking into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout), and rejecting requests for mounts in `disabled_mounts`. The same release also tightens an adjacent endpoint, `POST /admin/golive/chunk`, which previously required session authentication but did not verify the session user's per-mount access nor check the CSRF token.

Metrics

CVSS v3.1
8.2
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Missing authentication on the WebRTC ingest endpoint in TinyIce (versions 0.8.95 through 2.4.1) allows any unauthenticated caller with network access to inject arbitrary audio or video streams into any configured mount point. The vulnerability is reachable over the network with no credentials required and no user interaction, making it trivially exploitable at scale. Successful exploitation lets an attacker overwrite legitimate broadcast content and disrupt stream availability. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment an upstream fix ships.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-45327 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of its publication ingested from upstream advisory feeds. Coverage extends to custom-built images that bundle TinyIce, including internal forks or repackaged distributions.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.2 HIGH and weighting it further against each customer's per-environment compliance policy before routing alerts to the appropriate team inbox within that organization. Triage views surface the exact affected version range (0.8.95 to 2.4.1) alongside the impacted image layers to accelerate ownership assignment.

Available
Patch

Because no upstream fix version exists yet, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment version 2.5.0 or a subsequent release is published upstream. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention as soon as the fix is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The WebRTC ingest endpoint is exposed over the network, so an attacker must be able to reach the TinyIce service via a routable network path.

  • AuthenticationNot required

    No credentials of any kind are required; the ingest endpoint accepts unauthenticated requests in all affected versions.

  • Victim interactionNot required

    The attack is fully server-side and completes without any action from an operator or viewer.

  • Attack complexityDetail

    Exploit conditions are minimal and reliable, with no race conditions, memory-layout dependencies, or other environmental prerequisites to satisfy.

Blast Radius

  • Attacker injects arbitrary audio or video content onto any accessible mount point, replacing legitimate broadcast streams with attacker-controlled media.
  • Injected streams disrupt availability of the affected mount, degrading or terminating service for downstream listeners and viewers.
  • The adjacent POST /admin/golive/chunk endpoint (also affected in the same release line) allows a session-authenticated but insufficiently authorized user to submit chunk data to mounts they should not control, broadening the surface for content tampering.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45327 is active against all scanned images carrying TinyIce 0.8.95 through 2.4.1, with no configuration required. Because no upstream patch exists as of the CVE publication date, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once version 2.5.0 or later is confirmed upstream; for customers with auto-remediation enabled, this will include a regression-test run and a PR opened against affected workloads. While waiting for an upstream fix, recommended compensating controls include placing the TinyIce ingest endpoint behind a network policy that restricts inbound connections to known publisher CIDR ranges, adding an egress-filtering rule to prevent the container from accepting unsolicited WebRTC signaling, and disabling any publicly exposed mount points that are not actively in use via the existing disabled_mounts configuration mechanism.

See how HarborGuard automates this
Affected packages
  • DatanoiseTV / tinyice
    >= 0.8.95, < 2.5.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
References