CVE-2026-32253 Overview
CVE-2026-32253 is a critical authentication bypass vulnerability in Sunshine, a self-hosted game stream host for Moonlight clients. The flaw resides in the client-certificate authentication routine, where the custom OpenSSL verification callback in src/crypto.cpp treats specific verification errors as success. An attacker on the network can present an untrusted certificate and gain access to protected HTTPS endpoints. The issue affects all Sunshine versions before 2026.516.143833 and is tracked under [CWE-287] Improper Authentication.
Critical Impact
Remote attackers can bypass client-certificate authentication and access protected HTTPS endpoints without valid credentials, compromising confidentiality, integrity, and availability.
Affected Products
- LizardByte Sunshine versions prior to 2026.516.143833
- Self-hosted Sunshine game stream host deployments
- Moonlight client pairings relying on Sunshine certificate validation
Discovery Timeline
- 2026-05-22 - CVE-2026-32253 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-32253
Vulnerability Analysis
Sunshine uses mutual TLS to authenticate paired Moonlight clients before exposing privileged HTTPS endpoints. The server installs a custom verification callback on the OpenSSL SSL_CTX to enforce trust against pinned client certificates. In affected versions, the callback inspects the OpenSSL error code and incorrectly returns success for several failure conditions.
Specifically, the callback in src/crypto.cpp treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as if verification had passed. Any of these conditions normally signal that the presented certificate cannot be trusted. The result is a complete bypass of client-certificate authentication for any HTTPS endpoint the server protects.
Root Cause
The root cause is improper handling of OpenSSL verification results within Sunshine's custom verify callback. Rather than returning failure for unknown issuers, premature certificates, or expired certificates, the callback returns success. This violates the contract expected by OpenSSL's certificate chain validation logic and converts the verification step into a no-op for those error codes.
Attack Vector
The attack is network-reachable and requires no prior authentication or user interaction. An attacker generates a self-signed certificate, points a TLS client at the Sunshine HTTPS service, and presents the certificate during the mutual TLS handshake. Because the verify callback accepts the unknown issuer, the connection is established and the attacker reaches protected API endpoints. From there the attacker can interact with streaming, pairing, and configuration functionality exposed by the host.
No public proof-of-concept code has been verified for this advisory. Refer to the GitHub Security Advisory GHSA-ph75-mgxh-mv57 for vendor-provided technical detail.
Detection Methods for CVE-2026-32253
Indicators of Compromise
- Successful HTTPS sessions to Sunshine endpoints originating from IP addresses not associated with previously paired Moonlight clients.
- Sunshine logs showing accepted TLS handshakes with client certificates whose issuer is unknown to the server's trust store.
- Unexpected pairing, streaming, or configuration API calls outside normal user activity windows.
Detection Strategies
- Inspect TLS handshake metadata at the network edge for client certificates with self-signed or unknown issuers presented to the Sunshine listener port.
- Correlate authentication events in Sunshine logs with the set of trusted client certificate fingerprints; flag any session whose fingerprint is not on the allowlist.
- Hunt for outbound connections from Sunshine hosts to attacker-controlled infrastructure that may follow a successful bypass.
Monitoring Recommendations
- Enable verbose TLS and HTTP logging on Sunshine and forward logs to a central SIEM for retention and analysis.
- Alert on first-seen client certificate fingerprints connecting to Sunshine HTTPS endpoints.
- Monitor process and network activity on hosts running Sunshine for anomalous child processes spawned from the streaming service.
How to Mitigate CVE-2026-32253
Immediate Actions Required
- Upgrade Sunshine to version 2026.516.143833 or later on every host running the service.
- Restrict network exposure of Sunshine HTTPS endpoints to trusted LAN segments or VPN tunnels until patching is complete.
- Re-pair Moonlight clients and rotate any client certificates that may have been exposed during the vulnerable window.
Patch Information
LizardByte released the fix in Sunshine 2026.516.143833. The patched verify callback no longer treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, or X509_V_ERR_CERT_HAS_EXPIRED as success. Download the release from GitHub Release v2026.516.143833 and review the GitHub Security Advisory GHSA-ph75-mgxh-mv57 for full remediation guidance.
Workarounds
- Place Sunshine behind a reverse proxy or firewall that enforces source IP allowlisting for the HTTPS port.
- Bind Sunshine to a loopback or private interface and require a VPN for remote access until the patched build is deployed.
- Disable the Sunshine service on hosts where streaming is not actively required.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
