CVE-2026-44700
HIGHElixir WebRTC: Missing DTLS peer fingerprint validation in ex_webrtc client-role handshake
Title source: cnaDescription
Elixir WebRTC is an Elixir implementation of the W3C WebRTC API. Prior to 0.15.1 and 0.16.1, missing DTLS peer certificate fingerprint validation in the DTLS client (active) role removes one side of WebRTC's mutual authentication. The bug is not independently exploitable for media interception in standard deployments, but enables a full man-in-the-middle attack when chained with insecure signalling or a peer with similar validation gaps. This vulnerability is fixed in 0.15.1 and 0.16.1.
References (5)
Core 5
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/elixir-webrtc/ex_webrtc/security/advisories/GHSA-qwfw-ggxw-577c
X_Refsource_Misc x_refsource_misc
https://github.com/elixir-webrtc/ex_webrtc/issues/249
X_Refsource_Misc x_refsource_misc
https://github.com/elixir-webrtc/ex_webrtc/pull/250
X_Refsource_Misc x_refsource_misc
https://github.com/elixir-webrtc/ex_webrtc/releases/tag/v0.15.1
X_Refsource_Misc x_refsource_misc
https://github.com/elixir-webrtc/ex_webrtc/releases/tag/v0.16.1
Scores
CVSS v4
8.7
EPSS
0.0006
EPSS Percentile
19.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-295
Status
published
Products (4)
elixir-webrtc/ex_webrtc
< 0.15.1
elixir-webrtc/ex_webrtc
>= 0.16.0, < 0.16.1
Hex/ex_webrtc
0 - 0.15.1Hex
Hex/ex_webrtc
0.16.0 - 0.16.1Hex
Published
May 14, 2026
Tracked Since
May 15, 2026