Vulnerability in PJSIP's SIP TLS Transport Allows Acceptance of Invalid Certificates
CVE-2026-42225

8.2HIGH

Key Information:

Vendor

Pjsip

Status
Pjproject
Vendor
CVE Published:
7 May 2026

What is CVE-2026-42225?

A vulnerability has been identified in PJSIP, a widely used multimedia communication library, affecting versions prior to 2.17. This issue allows the SIP TLS transport to accept connections from invalid or untrusted certificates despite explicit settings for certificate verification (verify_server = PJ_TRUE or verify_client = PJ_TRUE). This flaw poses significant risks to secure communications, as it undermines the trust model of secure connections. The problem has been addressed in version 2.17, which implements proper certificate validation, ensuring that only trusted certificates are accepted.

Affected Version(s)

pjproject < 2.17

References

https://github.com/pjsip/pjproject/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/pjsip/pjproject/commit/ef684252bb62b07...
x_refsource_MISC
https://github.com/pjsip/pjproject/releases/tag/2.17
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.