Coturn up to 4.8.x ns_turn_ioaddr.c access control

Summaryinfo

A vulnerability, which was classified as critical, was found in Coturn up to 4.8.x. The impacted element is an unknown function of the file src/client/ns_turn_ioaddr.c. The manipulation results in access control. This vulnerability is identified as CVE-2026-27624. The attack can be executed remotely. There is not any exploit available. You should upgrade the affected component.

Detailsinfo

A vulnerability classified as critical has been found in Coturn up to 4.8.x. Affected is some unknown functionality of the file src/client/ns_turn_ioaddr.c. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.

The advisory is available at github.com. This vulnerability is traded as CVE-2026-27624 since 02/20/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1068 by the MITRE ATT&CK project.

The vulnerability scanner Nessus provides a plugin with the ID 299987 (Linux Distros Unpatched Vulnerability : CVE-2026-27624), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 4.9.0 eliminates this vulnerability. Applying the patch b80eb898ba26552600770162c26a8ae7f3661b0b is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (299987) and EUVD (EUVD-2026-8620). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Name

• Coturn

Version

• 4.0
• 4.1
• 4.2
• 4.3
• 4.4
• 4.5
• 4.6
• 4.7
• 4.8

License

• open-source

Website

• Product: https://github.com/coturn/coturn/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion