Skip to main content

coturn CVE-2026-53450

| EUVDEUVD-2026-42971 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-10 GitHub_M
7.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.4 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
vuln.today AI
7.4 HIGH

Network-reachable relay abuse with low complexity but requiring valid TURN credentials (PR:L); scope changes as traffic reaches services beyond the TURN authorization boundary, with low impact bounded by what localhost exposes.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 19:01 EUVD
Analysis Generated
Jul 10, 2026 - 18:55 vuln.today

DescriptionCVE.org

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is enabled, but the default loopback guard can be bypassed by using the IPv4-mapped IPv6 peer address ::ffff:127.0.0.1 in a TURN XOR-PEER-ADDRESS attribute. ioa_addr_is_loopback checks for the literal IPv6 loopback shape before IPv4-mapped IPv6 handling, so good_peer_addr does not apply the default loopback rejection and an authenticated TURN client can expose services bound only to localhost on the coturn host through TURN relay traffic. This issue is fixed in version 4.13.0.

AnalysisAI

Server-side request forgery in coturn TURN/STUN server before 4.13.0 lets an authenticated TURN client bypass the default loopback-peer guard by supplying the IPv4-mapped IPv6 address ::ffff:127.0.0.1 in the XOR-PEER-ADDRESS attribute, relaying traffic to services bound only to the coturn host's localhost. The loopback check evaluates the literal IPv6 loopback shape before IPv4-mapped IPv6 normalization, so good_peer_addr never applies the rejection even when allow-loopback-peers is disabled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid TURN credentials
Delivery
Create TURN allocation on coturn
Exploit
Send relay with XOR-PEER-ADDRESS ::ffff:127.0.0.1
Execution
Bypass loopback guard, reach localhost service
Impact
Exfiltrate or manipulate internal service data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated TURN client (valid coturn credentials, matching CVSS PR:L) that can send a TURN allocation/relay request with a crafted XOR-PEER-ADDRESS of the IPv4-mapped IPv6 form ::ffff:127.0.0.1. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderate and internally consistent rather than alarming. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds valid TURN credentials (for example, a legitimate user of a shared WebRTC/TURN service) creates a TURN allocation and issues a relay request with XOR-PEER-ADDRESS set to ::ffff:127.0.0.1 plus the target port, causing coturn to forward the attacker's traffic to a service listening only on the host's loopback interface. This lets the attacker reach otherwise-unreachable localhost services - such as an internal admin panel, metrics/debug endpoint, or metadata proxy - for information disclosure or limited manipulation. …
Remediation Vendor-released patch: upgrade coturn to version 4.13.0 or later, which corrects the ordering so ioa_addr_is_loopback normalizes IPv4-mapped IPv6 addresses before the loopback test; see GHSA-w4hf-cr3w-6h79 and commit b057acbebe721c8f2f202ddad5e16289e295c754. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory coturn deployments and document versions below 4.13.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Coturn

View all

Share

CVE-2026-53450 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy