CVE-2026-53450 in Coturninfo

Summary

by MITRE • 07/10/2026

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is enabled, but the default loopback guard can be bypassed by using the IPv4-mapped IPv6 peer address ::ffff:127.0.0.1 in a TURN XOR-PEER-ADDRESS attribute. ioa_addr_is_loopback checks for the literal IPv6 loopback shape before IPv4-mapped IPv6 handling, so good_peer_addr does not apply the default loopback rejection and an authenticated TURN client can expose services bound only to localhost on the coturn host through TURN relay traffic. This issue is fixed in version 4.13.0.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in coturn versions prior to 4130 represents a significant security flaw that undermines the server's default loopback peer protection mechanism. This issue stems from the improper handling of IPv4-mapped IPv6 addresses within the TURN protocol implementation, specifically affecting how the server validates peer addresses during relay operations. The default security configuration designed to prevent unauthorized access to localhost services through TURN relaying is bypassed when attackers utilize the specific IPv4-mapped IPv6 loopback address format ::ffff127001. This address format allows connections that should be restricted to localhost services to be established through the TURN relay mechanism, creating an unexpected attack vector.

The technical implementation flaw occurs in the ioa_addr_is_loopback function which performs address validation checks in a specific order that fails to properly account for IPv4-mapped IPv6 addresses before applying the default loopback rejection logic. The sequence of operations within the codebase causes good_peer_addr to skip the standard loopback validation when processing the ::ffff127001 address, effectively allowing authenticated TURN clients to access services bound exclusively to localhost on the coturn server host. This bypass mechanism operates at the protocol level where the server fails to recognize that despite appearing as an IPv6 address, the underlying network traffic originates from a loopback interface that should be restricted by default.

The operational impact of this vulnerability extends beyond simple privilege escalation, creating potential exposure for sensitive localhost-bound services that are typically protected through network segmentation. Attackers can leverage this flaw to gain unauthorized access to applications that should only be accessible within the local network context, potentially leading to data exfiltration, service disruption, or further lateral movement within the network infrastructure. The vulnerability particularly affects organizations relying on coturn for network traffic relay where localhost services are not properly secured through additional network controls, as the TURN server itself becomes a potential conduit for local network reconnaissance and exploitation.

This security issue aligns with CWE-284 Access Control Vulnerabilities and represents an improper authorization flaw that violates the principle of least privilege in network services. The vulnerability demonstrates how protocol implementations can create unexpected attack surfaces when dealing with address representation formats, particularly when transitioning between IPv4 and IPv6 addressing schemes. From an ATT&CK perspective, this vulnerability maps to T1046 Network Service Scanning and potentially T1566 Phishing, as it enables attackers to bypass network protections that would normally restrict access to localhost services through legitimate TURN relay traffic.

The mitigation strategy involves upgrading to coturn version 4130 or later where the address validation logic has been corrected to properly handle IPv4-mapped IPv6 addresses before applying loopback rejection rules. Organizations should also implement additional network segmentation controls, monitor TURN relay traffic for unusual patterns, and ensure that localhost-bound services are properly protected through network-level access controls regardless of protocol-level protections. Security teams should conduct thorough assessments of their TURN server configurations to verify that the allow_loopback_peers setting is appropriately configured based on organizational security requirements, as this vulnerability effectively renders the default security settings ineffective against specific attack vectors involving IPv4-mapped addresses.

Responsible

GitHub M

Reservation

06/09/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!