Listen to this Post
Intro – How CVE-2026-44353 Works
Streamlink versions before 8.4.0 fail to validate URI schemes when parsing HLS (.m3u8) and DASH (.mpd) manifests.
An attacker can host a malicious playlist that includes `file://` URIs instead of https://` segments./etc/passwd
The HLS/DASH parsers blindly accept any URI scheme without checking if it is local or remote.
When Streamlink processes such a manifest, it interprets `file:///etc/passwd` as a valid segment.
The utility then opens the local file using standard filesystem APIs.
Streamlink reads the entire contents of that file from disk.
Those contents are then written directly to the output stream (e.g., stdout or a video player).
This effectively turns Streamlink into an arbitrary local file read primitive.
No authentication or special privileges are required on the target machine.
The attack is triggered simply by asking Streamlink to play a malicious `.m3u8` or `.mpd` URL.
The URL can be delivered via phishing, malicious websites, or man‑in‑the‑middle attacks.
Streamlink does not warn the user that local file access is occurring.
The issue exists because the parser uses generic URI handling without scheme filtering.
`file://` is treated the same as `http://` or `https://` during segment resolution.
This violates the principle of least privilege for a network streamer.
The vulnerability affects both HLS (HTTP Live Streaming) and DASH (Dynamic Adaptive Streaming over HTTP).
An attacker can read any file readable by the Streamlink process’s user.
Common targets include, configuration files, SSH keys, and application secrets..bash_history
The output stream may be saved to disk or piped to another process, exfiltrating data.
Even non‑root users can read sensitive user data (e.g.,,.aws/credentials).http
The attack does not require code execution on the target – only a crafted manifest URL.
Streamlink versions prior to 8.4.0 are vulnerable across all supported operating systems.
The fix in 8.4.0 adds strict URI scheme validation: only,https, and allowed schemes.file://
<h2 style="color: blue;">is explicitly rejected by the parsers.</h2>
No configuration change is needed for the fix – upgrading is sufficient.
The vulnerability was assigned CVE-2026-44353 with a CVSS 3.x base score of 7.5 (High).
Disclosure and patch were coordinated through GitHub Security Lab.
NVD published the entry on May 27, 2026, with last modification on June 1, 2026.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: Streamlink
Version: Below 8.4.0
Vulnerability: Scheme validation missing
Severity: CVSS 7.5 High
date: 2026-06-01
<h2 style="color: blue;">Prediction: 2026-05-27</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Analytics:</h2>
Craft malicious HLS playlist (evil.m3u8) echo "EXTM3U" > evil.m3u8 echo "EXTINF:10," >> evil.m3u8 echo "file:///etc/passwd" >> evil.m3u8 Serve it (e.g., with Python) python3 -m http.server 8080 Victim runs streamlink against the malicious URL streamlink http://localhost:8080/evil.m3u8 best Expected output: contents of /etc/passwd printed to stdout
DASH manifest example (evil.mpd) cat > evil.mpd <<EOF <?xml version="1.0"?> <MPD> <Period> <AdaptationSet> <Representation> <SegmentList> <SegmentURL media="file:///home/user/.ssh/id_rsa"/> </SegmentList> </Representation> </AdaptationSet> </Period> </MPD> EOF
<h2 style="color: blue;">Exploit:</h2> 3. Streamlink requests the manifest, parses it, and attempts to read each `file://` segment. Arbitrary local file disclosure. An attacker can read any file accessible to the Streamlink process, leading to credential theft, configuration leakage, and further system compromise. Join Undercode Academy for Verified Certifications Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems: Reported By: nvd.nist.gov
1. Attacker hosts an HLS/DASH manifest with `file://` segment URLs pointing to a target file.
<h2 style="color: blue;">2. Victim is tricked into runningstreamlink
4. Local file contents are streamed to the victim’s output (video player, file, or stdout).Protection:
Impact:
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
🚀 Request a Custom Project:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by ThousandsSources:
Extra Source Hub:
Undercode🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:

