CVE-2026-41470

LIVE555 < 2026.04.22 RTSP Server Authorization Bypass via Session Token

CVSS 8.2 HIGHEPSS 0.5%CWE-863

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 8.2EPSS 0.5%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado

Lifecycle

19 May 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

LIVE555 before 2026.04.22 contains an authorization bypass vulnerability in RTSP session command handling that allows attackers to replay valid Session tokens from unauthenticated connections. Attackers who obtain a valid Session token can issue PLAY and TEARDOWN commands from a second TCP connection without authentication, causing server crashes through virtual function call errors or disrupting active streams by terminating victim sessions.

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected products

Live Networks, Inc. · LIVE555

public PoCs found — 1

cve_referencegist.github.com/yhcho0405/ee9b67a96808ef19f22e8a4ee88c795funverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://download.live555.com/https://gist.github.com/yhcho0405/ee9b67a96808ef19f22e8a4ee88c795f https://www.vulncheck.com/advisories/live555-rtsp-server-authorization-bypass-via-session-token