Unauthenticated WebRTC Stream Injection in TinyIce

TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a `?password=` query parameter, comparing the supplied password against the per-mount source password (or the `default_source_password` fallback) using bcrypt, hooking into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout), and rejecting requests for mounts in `disabled_mounts`. The same release also tightens an adjacent endpoint, `POST /admin/golive/chunk`, which previously required session authentication but did not verify the session user's per-mount access nor check the CSRF token.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

TinyIce streaming servers (versions 0.8.95-2.4.1) contain a critical authentication bypass vulnerability in their WebRTC ingest endpoint. An attacker can inject unauthorized audio/video streams without credentials, potentially hijacking legitimate broadcast channels, inserting malicious content, or disrupting service availability. This affects any organization using vulnerable TinyIce versions for live streaming infrastructure, including media companies, educational institutions, and enterprise communication platforms. The vulnerability scored 8.2 CVSS highlights the severity: unauthenticated access to a core streaming function represents a fundamental control failure that erodes the integrity and confidentiality of real-time media delivery.

Casky's 261 matching skills detect the attack patterns mapped to MITRE ATT&CK TA0004 (Privilege Escalation) and TA0006 (Credential Access). Practitioners would observe detection signals including: unauthenticated HTTP/WebRTC requests to ingest endpoints (absence of Authorization headers or valid password parameters), stream injection attempts without matching source credentials, and anomalous streaming sessions originating from unexpected network sources. Claude's extended reasoning correlates these signals—analyzing request patterns, credential validation failures, and timeline clustering—to distinguish between legitimate configuration errors and active exploitation. The skill set maps specifically to bypassing authentication controls and gaining unauthorized access to streaming resources, enabling security teams to identify both opportunistic probing and targeted injection attacks before malicious content reaches audiences.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-45327.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-malicious-url-with-urlscan

phishing defense · medium

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2026-45327

Casky has 261 skills that investigate the attack patterns behind CVE-2026-45327. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn