What is the CVSS score of CVE-2026-27624?

CVE-2026-27624 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Coturn are affected by CVE-2026-27624?

A vulnerability in Coturn TURN/STUN server implementations could allow attackers to bypass internal network protections designed to prevent access to loopback and internal IP ranges, potentially…. A patch is available.

Is there a public PoC exploit available for CVE-2026-27624?

Yes, a public proof-of-concept exploit is available for CVE-2026-27624. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-27624?

Within 24 hours: Identify all Coturn instances in your environment and assess their network exposure and configuration. Within 7 days: Apply the available vendor patch to all affected Coturn installations and validate the remediation through testing. Within 30 days: Conduct a comprehensive audit of network access logs to identify any potential exploitation attempts and review related security configurations across dependent systems.

Coturn CVE-2026-27624

HIGH

Improper Access Control (CWE-284)

2026-02-25 security-advisories@github.com

Authentication Bypass Coturn Suse

7.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.2 HIGH

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

SUSE

HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 27, 2026 - 18:04 vuln.today

Public exploit code

Patch released

Feb 27, 2026 - 18:04 nvd

Patch available

CVE Published

Feb 25, 2026 - 05:17 nvd

HIGH 7.2

DescriptionGitHub Advisory

Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.

AnalysisAI

Coturn TURN/STUN server contains an access control bypass that allows remote attackers to reach blocked internal addresses by exploiting IPv4-mapped IPv6 address handling in permission and channel binding requests. The vulnerability bypasses "denied-peer-ip" restrictions designed to block loopback ranges, enabling an attacker to interact with internal services that should be unreachable. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send TURN CreatePermission request

Exploit

Specify IPv4-mapped IPv6 address ::ffff:127.0.0.1

Execution

Bypass loopback restrictions

Impact

Access internal services

Access

Send TURN CreatePermission request

Exploit

Specify IPv4-mapped IPv6 address ::ffff:127.0.0.1

Execution

Bypass loopback restrictions

Impact

Access internal services

Vulnerability AssessmentAI

Exploitation	Coturn server configured with 'denied-peer-ip' blocking loopback ranges (127.0.0.0/8) or default loopback restrictions, version prior to 4.9.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.2 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to compromise the affected system.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Coturn instances in your environment and assess their network exposure and configuration. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Product	Status
openSUSE Tumbleweed	Fixed

CVE-2026-27624 vulnerability details – vuln.today

Back

Coturn CVE-2026-27624

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code