GStreamer
open source multimedia framework
Home
Features
News
Annual Conference
Planet (Blogs)
Download
Applications
Security Center
GitLab
Developers
Documentation
Forum
File a Bug
Artwork
Follow us on Bluesky
Follow us on Mastodon
Chat with us on Matrix

Security Advisory 2026-0061 (CVE-2026-14935)

Summary Possible authentication bypass in WebRTC SDP fingerprint validation
Date 2026-07-08
Affected Versions GStreamer gst-plugins-bad < 1.28.5
IDs GStreamer-SA-2026-0061
CVE-2026-14935

Details

A logic error in the WebRTC SDP fingerprint validation code in the webrtcbin element of gst-plugins-bad. The condition checking for the presence of DTLS fingerprint attributes in incoming SDP was inverted: it rejected SDP offers and answers that contained fingerprint information in both the session-level and media-level, while accepting SDP that lacked fingerprint information entirely. SDP with fingerprint information in only one location was handled correctly. This affected the validation performed when processing remote descriptions for active media sections.

Impact

A malicious third party controlling or modifying the remote SDP signaling can strip the fingerprint attributes and have the affected element accept the description. This breaks the WebRTC requirement that binds the DTLS certificate to the signaled identity, weakening the authentication guarantee of the DTLS handshake. The vulnerability enables an authentication bypass at the SDP validation stage.

Solution

The gst-plugins-bad 1.28.5 release addresses the issue. People using older versions of GStreamer should apply the patch and recompile.

References

The GStreamer project

CVE Database Entries

GStreamer 1.28.5 release

Patches


Report a problem on this page.