CVE-2026-45327: TinyIce Unauthenticated Stream Injection Vulnerability (CVSS 8.2)
TinyIce is vulnerable to unauthenticated stream injection on its WebRTC ingest endpoint. An attacker without credentials can inject audio or video streams into a live broadcast, potentially disrupting service, contaminating streams with malicious content, or hijacking active broadcasts. The vulnerability affects versions 0.8.95 through 2.4.1. Patching to version 2.5.0 or later adds mandatory authentication using HTTP Basic Auth or a password query parameter, backed by bcrypt verification and brute-force protection.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
- Weaknesses (CWE)
- CWE-306
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a `?password=` query parameter, comparing the supplied password against the per-mount source password (or the `default_source_password` fallback) using bcrypt, hooking into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout), and rejecting requests for mounts in `disabled_mounts`. The same release also tightens an adjacent endpoint, `POST /admin/golive/chunk`, which previously required session authentication but did not verify the session user's per-mount access nor check the CSRF token.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45327 stems from a missing authentication check on the WebRTC ingest endpoint in TinyIce streaming server. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). Attackers can submit unauthenticated POST requests to inject streams without providing credentials or authorization tokens. Version 2.5.0 remediation layers in password-based authentication using bcrypt, validates credentials against per-mount source passwords or a configurable default fallback, integrates with the existing brute-force rate-limiter (5 failed attempts per IP within 15 minutes), and rejects requests targeting disabled mounts. A secondary issue in the same release addresses an adjacent endpoint, `POST /admin/golive/chunk`, which previously lacked per-mount access verification and CSRF token validation despite requiring session authentication.
Business impact
Unauthorized stream injection can severely disrupt live broadcast operations. An attacker could insert unwanted content, advertise malware, deface broadcasts, or cause service unavailability by flooding the endpoint with junk streams. This directly impacts content integrity, audience trust, and service availability. Organizations relying on TinyIce for mission-critical live streaming face reputation damage, potential legal liability if malicious content is broadcast, and operational downtime during remediation.
Affected systems
TinyIce versions 0.8.95 through 2.4.1 are vulnerable. Version 2.5.0 and later include the fix. Installations should verify their current version via `tinyice --version` or the admin dashboard and cross-reference against the vendor advisory to confirm patch applicability.
Exploitability
The vulnerability is highly exploitable. No authentication is required, the network is accessible (CVSS:3.1 AV:N), no special conditions must be present (AC:L), and exploitation requires minimal technical skill—a simple HTTP POST to the ingest endpoint. The CVSS score of 8.2 (HIGH) reflects high integrity impact (stream injection) and partial availability impact (service disruption via flood attacks). The vulnerability does not grant confidentiality access but severely compromises stream authenticity. Exploit difficulty is low; public proof-of-concept or attack tooling could emerge quickly.
Remediation
Upgrade TinyIce to version 2.5.0 or later immediately. The patch enforces password-based authentication on the ingest endpoint, integrated with bcrypt hashing and IP-based rate-limiting. After upgrading, configure strong per-mount source passwords and review the default_source_password setting to ensure it meets organizational complexity standards. Test ingestion from authorized sources post-upgrade to confirm functionality. Also audit the `POST /admin/golive/chunk` endpoint to ensure per-mount access controls are properly enforced and CSRF protections are active.
Patch guidance
Obtain TinyIce 2.5.0 or later from the official vendor repository or download page. Review the vendor security advisory for detailed migration notes and any configuration changes required for password-based authentication. In production environments, deploy the patch in a maintenance window with appropriate notification to users and broadcasters. Verify that ingest credentials are securely distributed to authorized sources via out-of-band channels (not in plaintext logs or emails). Confirm backward compatibility if your deployment uses existing ingest workflows. Rollback procedures should be tested before production rollout.
Detection guidance
Monitor ingest endpoint logs for unauthenticated POST requests before patching. Baseline normal ingest traffic and alert on requests from unexpected IP ranges or sources. Log all authentication attempts (successful and failed) post-patch. Enable verbose logging if TinyIce supports it. Use network intrusion detection to flag suspicious patterns: rapid ingest requests without proper authentication headers, requests with malformed or missing credentials, or bulk stream submissions from a single IP. In post-patch environments, watch for repeated failed authentication attempts from the same IP, which may trigger the built-in rate-limiter; correlate these with legitimate broadcaster onboarding activities.
Why prioritize this
This is a HIGH-severity vulnerability affecting core broadcast integrity with minimal exploitation barriers. The CVSS score of 8.2 reflects significant impact on stream authenticity and potential availability disruption. Organizations running TinyIce in production should prioritize patching within 48–72 hours. If the system is internet-facing or accessible to untrusted networks, treat this as critical. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of the advisory publication date, but the low barrier to exploitation means defensive action should not wait for KEV inclusion.
Risk score, explained
The CVSS 3.1 score of 8.2 (HIGH severity) is driven by: (1) Network-accessible attack vector (AV:N) with no authentication required (PR:N) and minimal complexity (AC:L); (2) High impact on integrity (I:H) due to unauthorized stream injection; (3) Low availability impact (A:L) from potential service disruption via endpoint flooding or resource exhaustion. Confidentiality is not impacted (C:N). The score assumes an unchanged scope (S:U). Contextual factors elevating real-world risk include public visibility of streaming endpoints, ease of weaponization, and direct impact on broadcast credibility.
Frequently asked questions
What is the difference between the password parameter and HTTP Basic Auth in version 2.5.0?
Version 2.5.0 supports both mechanisms for backward compatibility and operational flexibility. HTTP Basic Auth encodes credentials in the Authorization header and is more secure if transmitted over HTTPS. The `?password=` query parameter is simpler for embedded clients but should only be used over encrypted connections to avoid exposing credentials in logs or proxy records. Both are validated against the same bcrypt-hashed per-mount or default password and trigger the same brute-force rate-limiter.
If an attacker is rate-limited after 5 failed attempts, how long must they wait before retrying?
The built-in rate-limiter locks out an IP for 15 minutes after 5 failed authentication attempts within the same period. This applies to both the main ingest endpoint and the secondary `POST /admin/golive/chunk` endpoint. After 15 minutes, the IP is eligible to attempt authentication again, resetting the failure counter.
Should I change the default_source_password after upgrading?
Yes. The default_source_password is a fallback used if no per-mount password is configured. If left unchanged from the vendor default or installation template, it becomes a single point of failure. Generate a strong, unique password for each mount when possible, and keep default_source_password as a securely randomized value known only to your operational team.
Does this patch address all authentication gaps in TinyIce?
The patch addresses the primary ingest endpoint and the secondary `POST /admin/golive/chunk` endpoint. However, security audits should review other administrative and management endpoints to ensure no similar gaps exist. Consider requesting a full security advisory or changelog from the vendor for a complete picture of improvements in version 2.5.0.
This analysis is based on the CVE-2026-45327 advisory published on 2026-06-05 and last modified 2026-06-17. Version numbers, patch availability, and vendor guidance should be verified against the official TinyIce security advisory and vendor website before deployment. No exploit code or weaponized proof-of-concept is provided in this analysis. Organizations should conduct internal risk assessments and compatibility testing before patching production systems. This information is provided for educational and defensive security purposes only. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10243HIGHSmart Parking System 1.0 Authentication Bypass – Remote Admin Access
- CVE-2026-10281HIGHEnderfga claw-orchestrator Authentication Bypass – Patch Available
- CVE-2026-10617HIGHGoClaw Webhook Authentication Bypass – Remote Exploitation
- CVE-2026-24088HIGHQualcomm Bootloader Cryptographic Verification Flaw (CVSS 8.2)
- CVE-2026-24090HIGHQualcomm Partition Table Cryptographic Flaw Enables Boot Modification
- CVE-2026-36603HIGHMercusys AC12G Unauthenticated UPnP Port Forwarding Vulnerability
- CVE-2026-45332HIGHAutomad Unauthenticated Administrator Credential Exposure
- CVE-2026-46826HIGHOracle Payroll Authorization Flaw Enables Complete System Takeover