CVE-2026-53448 in coturninfo

Summary

by MITRE • 07/10/2026

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.12.0, the coturn HTTPS admin panel passes HTTP query parameters directly into SQL queries via snprintf string interpolation without sanitization. The is_secure_string filter that protects the STUN protocol path is not applied to the admin panel's delete-user, delete-secret, and delete-IP operations, so an authenticated admin can inject arbitrary SQL through the du, ds, and dip parameters, gaining full database control and potentially OS-level access via PostgreSQL COPY TO PROGRAM. This issue is fixed in version 4.12.0.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The coturn software represents a critical vulnerability in network infrastructure security through its improper handling of HTTP query parameters within the HTTPS admin panel. This flaw exists in versions prior to 4120 where the application fails to implement proper input sanitization mechanisms when processing user-supplied data through snprintf string interpolation techniques. The vulnerability specifically affects the admin panel's delete-user du delete-secret ds and delete-IP dip operations which directly translate query parameters into SQL queries without adequate filtering or validation. The security mechanism that normally protects the STUN protocol path through the is_secure_string filter is selectively omitted from these administrative functions creating an inconsistent security posture within the application.

The technical exploitation of this vulnerability leverages authenticated admin access to perform malicious parameter injection attacks against the database layer. When administrators execute delete operations through the web interface using parameters du ds or dip the system processes these inputs directly into SQL statements without proper sanitization, creating a classic sql injection attack vector. This vulnerability maps directly to common weakness enumerations CWE-89 SQL Injection and CWE-20 Improper Input Validation which are fundamental security concerns in database interaction design. The absence of parameterized queries or proper input filtering creates opportunities for attackers to manipulate the underlying database through carefully crafted malicious inputs.

The operational impact of this vulnerability extends beyond simple data manipulation to potentially enable full system compromise through database-level command execution. PostgreSQL's COPY TO PROGRAM functionality presents a particularly dangerous attack surface where successful sql injection can be leveraged to execute arbitrary operating system commands on the server hosting the coturn application. This escalation capability transforms what initially appears as a database security issue into a potential full system compromise scenario. Attackers could potentially gain persistence, escalate privileges, or extract sensitive data from the entire system infrastructure through this single vulnerability.

The mitigation strategy for this vulnerability requires immediate deployment of coturn version 4120 which implements proper parameter sanitization and input validation mechanisms. Organizations should conduct comprehensive security assessments to identify all instances of vulnerable coturn installations within their infrastructure and ensure proper patch management processes are in place. The fix addresses the root cause by implementing proper string interpolation techniques that prevent direct parameter inclusion into sql queries while maintaining the intended functionality of administrative operations. Security teams must also review access controls and implement principle of least privilege for admin accounts to minimize potential damage from any remaining vulnerabilities in the system.

This vulnerability demonstrates the importance of consistent security implementation across all application components, particularly in administrative interfaces where elevated privileges can be leveraged for maximum impact. The issue aligns with attack techniques documented in the attack pattern taxonomy under T1078 Valid Accounts and T1566 Phishing as attackers may need to obtain admin credentials to exploit this vulnerability. Organizations implementing coturn or similar network infrastructure software should establish regular security auditing processes to identify similar inconsistencies in input validation across different application modules and ensure comprehensive protection against sql injection attacks through proper parameterized query usage and input sanitization protocols.

Responsible

GitHub M

Reservation

06/09/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!