CVE-2026-41470
MEDIUMLIVE555 < 2026.04.22 RTSP Server Authorization Bypass via Session Token
Title source: cnaDescription
LIVE555 before 2026.04.22 contains an authorization bypass vulnerability in RTSP session command handling that allows attackers to replay valid Session tokens from unauthenticated connections. Attackers who obtain a valid Session token can issue PLAY and TEARDOWN commands from a second TCP connection without authentication, causing server crashes through virtual function call errors or disrupting active streams by terminating victim sessions.
References (3)
Core 3
Core References
Exploit technical-description
exploit
https://gist.github.com/yhcho0405/ee9b67a96808ef19f22e8a4ee88c795f
Patch patch
product
https://download.live555.com/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/live555-rtsp-server-authorization-bypass-via-session-token
Scores
CVSS v3
5.9
EPSS
0.0049
EPSS Percentile
37.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (1)
Live Networks, Inc./LIVE555
< 2026.04.22
Published
May 19, 2026
Tracked Since
May 19, 2026