PT-2026-53972 · Coturn · Coturn

Published

2026-06-30

·

Updated

2026-07-10

·

CVE-2026-53450

CVSS v3.1

7.4

High

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions coturn versions prior to 4.13.0
Description An authenticated TURN client can bypass the default loopback guard by using the IPv4-mapped IPv6 peer address ::ffff:127.0.0.1 within a TURN XOR-PEER-ADDRESS attribute. This occurs because the ioa addr is loopback function checks for the literal IPv6 loopback shape before handling IPv4-mapped IPv6 addresses, causing the good peer addr function to fail in applying the default loopback rejection. Consequently, an attacker can expose services bound only to localhost on the host through TURN relay traffic.
Recommendations Update to version 4.13.0 or later.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-53450

Affected Products

Coturn