CVE-2026-41470 HIGH

CVE-2026-41470: LIVE555 < 2026.04.22 RTSP Server Authorization Bypass via Session Token

Vendor Live Networks, Inc.

Product LIVE555

Weakness CWE-863 · Incorrect authorization

Published May 19, 2026

Last update May 20, 2026

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

LIVE555 before 2026.04.22 contains an authorization bypass vulnerability in RTSP session command handling that allows attackers to replay valid Session tokens from unauthenticated connections. Attackers who obtain a valid Session token can issue PLAY and TEARDOWN commands from a second TCP connection without authentication, causing server crashes through virtual function call errors or disrupting active streams by terminating victim sessions.

Key dates

02Disclosure timeline

May 19, 2026 CVE published

May 20, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41470 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

CVE-2026-41470: LIVE555 < 2026.04.22 RTSP Server Authorization Bypass via Session Token

01Description

02Disclosure timeline

03References

04Related CVE