EXECUTIVE SUMMARY:
CVE-2026-44700 with a CVSS score of 8.7 is a vulnerability in the ex_webrtc library, specifically affecting all released versions prior to 0.15.1 and 0.16.1. This issue lies in the client-role handshake, which is missing DTLS peer fingerprint validation. When acting as a DTLS client, ex_webrtc does not check the peer's certificate fingerprint, which removes one side of WebRTC's mutual authentication. An attacker positioned on the network can intercept media against a standards-compliant browser peer over a TLS-protected signalling channel, but the browser's fingerprint check prevents the second leg of the MITM from succeeding. However, the bug enables a full MITM on media and data channels when combined with insecure signalling, a compromised signalling server, or a peer implementation with a similar fingerprint-validation gap. Both audio/video media and data channels are affected, and the attacker gains the capability to intercept and modify sensitive information. The business impact and consequences of exploitation include unauthorized access to sensitive data, potential data breaches, and reputational damage.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44700 with a CVSS score of 8.7 is a vulnerability in the ex_webrtc library, specifically affecting all released versions prior to 0.15.1 and 0.16.1. This issue lies in the client-role handshake, which is missing DTLS peer fingerprint validation. When acting as a DTLS client, ex_webrtc does not check the peer's certificate fingerprint, which removes one side of WebRTC's mutual authentication. An attacker positioned on the network can intercept media against a standards-compliant browser peer over a TLS-protected signalling channel, but the browser's fingerprint check prevents the second leg of the MITM from succeeding. However, the bug enables a full MITM on media and data channels when combined with insecure signalling, a compromised signalling server, or a peer implementation with a similar fingerprint-validation gap. Both audio/video media and data channels are affected, and the attacker gains the capability to intercept and modify sensitive information. The business impact and consequences of exploitation include unauthorized access to sensitive data, potential data breaches, and reputational damage.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-qwfw-ggxw-577c