CVE-2026-27624

Name of the Vulnerable Software and Affected Versions Coturn versions prior to 4.9.0

Description Coturn, a free open source implementation of TURN and STUN Server, is susceptible to a bypass of loopback and internal range restrictions. Specifically, configurations using "denied-peer-ip" to block loopback and internal ranges can be circumvented by sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value set to "::ffff:127.0.0.1". This is due to insufficient checks for IPv4-mapped IPv6 addresses in the functions ioa addr is loopback(), ioa addr is zero(), and addr less eq() within "src/client/ns turn ioaddr.c" prior to version 4.9.0. The root cause is that these functions do not check for IN6 IS ADDR V4MAPPED.

Recommendations Versions prior to 4.9.0 should be updated to version 4.9.0 or later.