Thursday, 11 June 2026 @ 17:01 UTC ~33 12,987 142,373

LuminalShine

NortheBridge Foundation · NortheBridge.LuminalShine

A Modern Self-hosted High Performance Sunshine-compatible game stream host for Moonlight designed for Windows 11 and Windows 11 Insider Preview. Maintained by the NortheBridge Foundation.

Modern Self-Hosted High Performance Sunshine-compatible game streaming host for Moonlight clients designed for Windows 11 and Windows 11 Insider Preview.

winget install --id NortheBridge.LuminalShine --exact --source winget

Latest 26.05.0.18

Release Notes

LuminalShine 26.05.0 Release Candidate 4 (RC4) Caution This release ships CVE-2026-32253 / GHSA-ph75-mgxh-mv57 (Critical, CVSS 9.8) — an upstream cert-chain authentication bypass that allowed network-reachable attackers to impersonate paired Moonlight clients and reach /launch with input injection on a SYSTEM-level service. All LuminalShine hosts should upgrade immediately. See the Security section below for details. We have posted seperate Security Advisory as GHSA-8gq2-8vfv-fqx7 Caution This release ships GHSA-52q6-5x97-2747 (Moderate, CVSS 6.3) — The protection is incidental, not enforced. There is no util:PermissionEx in packaging/windows/wix/custom_actions.wxs, no SetNamedSecurityInfo call anywhere, and the code in src/config.cpp / src/file_handler.cpp creates the file with no security descriptor. Off-default conditions break it: OEM gold images with loosened ProgramData DACLs, plugins running as non-SYSTEM that pre-create the directory, manual user copies into ProgramData, etc. If write access ever exists, src/process.cpp reads cmd/elevated:true with no integrity check and src/platform/windows/misc.cpp launches via CreateProcessAsUserW with the linked admin token → non-admin → Administrator EoP. All LuminalShine hosts should upgrade immediately. See the Security section below for details. Note Existing installs migrate transparently. sunshine_credentials.json is renamed in place to luminalshine_credentials.json on first launch after upgrade, with the original archived as sunshine_credentials.json.deprecated- for forensic recovery. Paired Moonlight clients, the Windows Credential Manager admin entry, and the apps list are unaffected. General

  • New: Session Details panel + Session History card. The Dashboard now records every streaming session you run. A new LuminalShineSessionMonitor Windows service captures per-session metadata (client, codec, resolution, FPS, bitrate, HDR / YUV4:4:4 flags) along with 1Hz host CPU + RAM samples, persists them under %ProgramData%\LuminalShine\sessions, and serves them back to the Web UI. The Session History card on the Dashboard lists every recorded session (active sessions float to the top with a LIVE pulse; ended sessions follow in reverse chronological order). Clicking a row opens a right-edge slide-out drawer with live uPlot charts grouped under three tabs — Stream / Connection / Host — plus Disconnect, Export JSON, and Delete actions. The monitor service is independent from the streaming hot path: it runs in its own process with SYSTEM-only named-pipe ingest, a kernel-assigned ephemeral localhost port, and a fire-and-forget producer that can never block encoding or stream delivery.
  • New: Per-session recording opt-out (Settings → Capture → session_monitor, default on). When off, the producer is muted but the sidecar service stays running, so toggling the setting back on resumes recording immediately.
  • New: "Clear Session History" gesture on the Troubleshooting page. Wipes the on-disk archive while leaving the sidecar's in-memory ring buffer intact (so the Web UI repopulates from live state). The MSI uninstall now removes the session archive by default; opt-out via msiexec /x ... KEEPSESSIONDATA=1 for migration scenarios.
  • TypeScript toolchain bump to TypeScript 6.0.3 and vue-tsc 3.3.1. No user-visible behavior change.
  • README badges: release version, commits-since-release, GitHub downloads, code size, stars, license, and CI status are now surfaced at the top of the project README for repo navigation. Windows 11 General Availability
  • No GA-channel-specific items this release. GA hosts pick up everything in Security and Hotfixes below. Windows 11 Insider Preview
  • No Insider-Preview-specific items this release. Insider Preview Canary / Dev hosts pick up everything in Security and Hotfixes below. Security
  • CVE-2026-32253 / GHSA-ph75-mgxh-mv57 (Critical, CVSS 9.8) — fixed. Closes the upstream Sunshine cert-chain authentication bypass that let a network-reachable attacker present a self-signed leaf chained to a self-generated CA and be accepted as a paired Moonlight client. From there, the attacker could call /launch or /resume and stream — with input injection — under the SYSTEM service identity. Two layered changes ship:
    • Removed the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY fast-path in openssl_verify_cb, mirroring upstream Sunshine v2026.516.143833.
    • Added a leaf-signature pin in the Moonlight HTTPS verify lambda: after the OpenSSL chain verifier accepts a peer, its leaf signature must also exactly match an entry in client_root.named_devices. Defense-in-depth — any future regression in the verify callback cannot grant access to an unpaired peer.
    • Regression coverage added in tests/unit/test_cert_chain.cpp.
  • ProgramData config-directory hardening. The files under %ProgramData%\LuminalShine\config\ (apps.json, sunshine.conf, the paired-clients store, the credentials file) include paths and command lines that the SYSTEM service trusts at CreateProcessAsUserW time. Default Windows ACL inheritance happens to keep Users non-writable on a vanilla install, but the protection was incidental rather than enforced. Layered defense now ships:
    • PROTECTED DACL (SYSTEM and Administrators Full, Users Read+Execute) and a System mandatory integrity label are applied at every service start via SetNamedSecurityInfoW. Self-repairing — incorrect ACLs from OEM gold images, prior tooling, or BIOS-image deployments are corrected on the next service start.
    • HMAC-SHA256 tamper detection on apps.json with a sidecar .sig file. The HMAC key is sealed via the TPM 2.0 (Microsoft Platform Crypto Provider KSP) when available, and falls back to DPAPI-LocalMachine otherwise. The active backend (tpm / dpapi-lm / unavailable) is logged once at startup. On HMAC mismatch the suspect file is renamed to .tamper- and the service seeds defaults rather than load attacker-supplied content.
    • sunshine_credentials.json → luminalshine_credentials.json (flag-day rename) with one-shot in-place migration so existing installs never lose admin credentials. The original is archived as .deprecated-.
    • Per the threat-model review: no install-time TPM gate. DPAPI-LocalMachine fallback covers TPM-less hosts (BIOS-disabled TPM, vTPM-less VMs, Insider Preview registry-bypass installs) without weakening the security ceiling for the same-machine-tamper threat model. Hotfixes
  • No Hotfixes-specific items this release. Insider Preview Canary / Dev hosts pick up everything above. Automated release for 26.05.0-rc4. Full Changelog: 26.05.0-rc3.hfx4...26.05.0-rc4

Installer type: portable

Architecture Scope Download SHA256
x64 Download A80D0E9F876CC33A37F497F2BFC84E3FD2E671355523A319E48DAF83766B2A20

Details

Homepage
https://github.com/NortheBridge/luminalshine
License
GPL-3.0
Publisher
NortheBridge Foundation
Support
https://gitdocs.northebridge.com/
Copyright
Copyright (c) NortheBridge Foundation
Moniker
luminalshine

Tags

amdgpublackwell-gpucontributions-welcomecontributors-welcomecppgame-streamgame-streaminggame-streaming-servergeforce-experienceintelgpumoonlightnvidia-gpupythonremote-desktopwindows-insiderswindows11

Older versions (2)

26.05.0.17
Architecture Scope Download SHA256
x64 Download FCD2A78751B5A039DDC0CFC74CF645F8E265D03F444B46876B291B999F48CC88
26.05.0
Architecture Scope Download SHA256
x64 Download DC9DBCFB43FB18905E472E9976CBC7D9175549472E6353CC28324459AFAB165F