CVE-2026-45327: TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection

May 18, 2026 (updated June 9, 2026)

TinyIce’s WebRTC source-ingest HTTP endpoint, POST /webrtc/source-offer?mount=<mount>, accepted any inbound WebRTC SDP offer with no authentication check. The handler routed the offer to WebRTCManager.HandleSourceOffer, which then accepted whatever audio/video tracks the peer published and broadcast them on the named mount as if they were the legitimate source.

The other ingest paths (POST /<mount> over HTTP/1 with the icecast SOURCE / PUT verb, RTMP, SRT) all require the per-mount source password, falling back to default_source_password from the config. The WebRTC ingest path didn’t.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-45327 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →