Elixir WebRTC: Missing DTLS peer fingerprint validation in ex

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Elixir WebRTC is an Elixir implementation of the W3C WebRTC API. Prior to 0.15.1 and 0.16.1, missing DTLS peer certificate fingerprint validation in the DTLS client (active) role removes one side of WebRTC's mutual authentication. The bug is not independently exploitable for media interception in standard deployments, but enables a full man-in-the-middle attack when chained with insecure signalling or a peer with similar validation gaps. This vulnerability is fixed in 0.15.1 and 0.16.1.

AI Analysis

Missing DTLS peer certificate fingerprint validation in the DTLS client role, enabling a full man-in-the-middle attack when chained with insecure signalling or similar validation gaps.

Basic Information

ID CVE-2026-44700

Source GitHub_M

Published May 14, 2026 at 20:51

Affected Product

Vendor elixir-webrtc

Product ex_webrtc

Version < 0.15.1

Affected Versions elixir-webrtc ex_webrtc < 0.15.1
elixir-webrtc ex_webrtc >= 0.16.0, < 0.16.1

CWE Classification

CWE-295

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Elixir WebRTC

Product ex_webrtc

Version < 0.15.1, >= 0.16.0, < 0.16.1

References

{
    "lastseen": "",
    "description": "Elixir WebRTC is an Elixir implementation of the W3C WebRTC API. Prior to 0.15.1 and 0.16.1, missing DTLS peer certificate fingerprint validation in the DTLS client (active) role removes one side of WebRTC's mutual authentication. The bug is not independently exploitable for media interception in standard deployments, but enables a full man-in-the-middle attack when chained with insecure signalling or a peer with similar validation gaps. This vulnerability is fixed in 0.15.1 and 0.16.1.",
    "published": "2026-05-14T20:51:03.877Z",
    "modified": "2026-05-14T20:51:03.877Z",
    "type": "cve",
    "title": "Elixir WebRTC: Missing DTLS peer fingerprint validation in ex_webrtc client-role handshake",
    "source": "GitHub_M",
    "references": "https://github.com/elixir-webrtc/ex_webrtc/security/advisories/GHSA-qwfw-ggxw-577c\nhttps://github.com/elixir-webrtc/ex_webrtc/issues/249\nhttps://github.com/elixir-webrtc/ex_webrtc/pull/250\nhttps://github.com/elixir-webrtc/ex_webrtc/releases/tag/v0.15.1\nhttps://github.com/elixir-webrtc/ex_webrtc/releases/tag/v0.16.1",
    "id": "CVE-2026-44700",
    "bulletinFamily": "",
    "cwe": [
        "CWE-295"
    ],
    "cvelist": null,
    "sourceData": "elixir-webrtc ex_webrtc < 0.15.1\nelixir-webrtc ex_webrtc >= 0.16.0, < 0.16.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ex_webrtc",
    "version": "< 0.15.1",
    "vendor": "elixir-webrtc",
    "ai_description": "Missing DTLS peer certificate fingerprint validation in the DTLS client role, enabling a full man-in-the-middle attack when chained with insecure signalling or similar validation gaps.",
    "ai_severity": "High",
    "ai_vendor": "Elixir WebRTC",
    "ai_product": "ex_webrtc",
    "ai_version": "< 0.15.1, >= 0.16.0, < 0.16.1",
    "ai_score": 8.7
}

Elixir WebRTC: Missing DTLS peer fingerprint validation in ex_webrtc client-role handshake_CVE-2026-44700