Summary
Title
Missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection in TinyIce
Ecosystem / Package
- Ecosystem:
Go(or "Other", TinyIce is shipped as a Go binary, not a Go module published to a registry) - Package name:
github.com/DatanoiseTV/tinyice
Affected versions
>= 0.8.95, <= 2.4.1
(Introduced 2026-02-21 in commit e2b60d6, "debug: add Go Live connection tracing and backend data flow logging", when handleWebRTCSourceOffer was registered at /webrtc/source-offer without an authentication check. Every tagged release from v0.8.95 through v2.4.1 ships the vulnerable handler.)
Patched versions
>= 2.5.0
Severity
- CVSS 3.1 base score: 7.4 (High)
- CVSS vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L - CWE: CWE-306: Missing Authentication for Critical Function
Description
TinyIce's WebRTC source-ingest HTTP endpoint, POST /webrtc/source-offer?mount=<mount>, accepted any inbound WebRTC SDP offer with no authentication check. The handler routed the offer to WebRTCManager.HandleSourceOffer, which then accepted whatever audio/video tracks the peer published and broadcast them on the named mount as if they were the legitimate source.
The other ingest paths (POST /<mount> over HTTP/1 with the icecast SOURCE / PUT verb, RTMP, SRT) all require the per-mount source password, falling back to default_source_password from the config. The WebRTC ingest path didn't.
Workarounds
If users cannot upgrade immediately:
- Recommended: block
POST /webrtc/source-offerat the reverse proxy in front of TinyIce. The endpoint has no production use case for clients outside the operator's own administration, disabling it loses no functionality unless the consuming application specifically use the browser-based "go-live" feature. - Restrict TinyIce's HTTP port to a trusted network (VPN, internal LAN). Listener access can still be served via a separately-firewalled CDN if the application needs public listening.
Detection
To check whether an application's deployment is exposed, run from outside the network:
curl -i -X POST 'https://your-tinyice-host/webrtc/source-offer?mount=/anymount' \
-H 'Content-Type: application/json' \
-d '{"type":"offer","sdp":"v=0\r\n"}'
- If the response is
400 Bad Requestwith a JSON body containing an SDP-parsing error frompion/webrtc, a consuming application is vulnerable, the server tried to negotiate the (malformed) offer without asking for credentials. - If the response is
401 Unauthorized(Basic auth challenge), the consuming application has been patched.
Authenticated log lines on a patched server will look like:
WARN Authentication failed for user 'webrtc-source' from 1.2.3.4: invalid source password
Timeline
- 2026-02-21, Vulnerable handler introduced (
e2b60d6). - 2026-05-09, Vulnerability identified during a maintainer-led audit.
- 2026-05-09, Patched in commit
8067d6b, released asv2.5.0. - 2026-05-09, GitHub Security Advisory published, CVE assigned.
Impact
A network attacker who can reach the TinyIce HTTP port can:
- Identify a target mount (mount names are public, they appear in the directory listing, the player URL, and the YP listing).
- Negotiate a WebRTC peer connection with the server.
- Publish arbitrary Opus / H.264 to that mount.
- Have it broadcast to every listener on the mount.
This is a high-integrity-impact issue: an attacker can replace a radio's broadcast with their own audio (silence, noise, malicious content, branded competitor content, etc.). Listeners hear what the attacker sends, not what the legitimate publisher intended.
The legitimate publisher can re-establish their session, TinyIce's source-takeover handshake gives the new offer priority once it arrives, with a 3-second drain of the previous pump goroutine, but the attacker can in principle re-connect immediately after, producing a sustained broadcast hijack until the operator manually intervenes (block at firewall, rotate source passwords once the patch is applied, restart the service).
There is no direct confidentiality impact through this endpoint: the attacker doesn't gain access to listener data or other mounts' content.
A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.
CVE-2026-45327 has a CVSS score of 8.2 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.5.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Upstream commit: 8067d6b "fix(api): require source password on /webrtc/source-offer + CSRF/access on /go-live-chunk".
The handler now:
- Requires either HTTP Basic auth or a
?password=query parameter. - Compares the supplied password against the per-mount source password (or the
default_source_passwordfallback) using bcrypt. - Hooks into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout).
- Rejects requests for mounts in
disabled_mounts.
The same release also tightens an adjacent endpoint, POST /admin/golive/chunk, which previously required session authentication but did not verify the session user's per-mount access nor check the CSRF token.
Frequently Asked Questions
- What is CVE-2026-45327? CVE-2026-45327 is a high-severity missing authentication for critical function vulnerability in github.com/DatanoiseTV/tinyice (go), affecting versions >= 0.8.95, <= 2.4.1. It is fixed in 2.5.0. A critical operation is accessible without requiring any authentication.
- How severe is CVE-2026-45327? CVE-2026-45327 has a CVSS score of 8.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/DatanoiseTV/tinyice are affected by CVE-2026-45327? github.com/DatanoiseTV/tinyice (go) versions >= 0.8.95, <= 2.4.1 is affected.
- Is there a fix for CVE-2026-45327? Yes. CVE-2026-45327 is fixed in 2.5.0. Upgrade to this version or later.
- Is CVE-2026-45327 exploitable, and should I be worried? Whether CVE-2026-45327 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-45327 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-45327? Upgrade
github.com/DatanoiseTV/tinyiceto 2.5.0 or later.