Coturn TURN and STUN Server Vulnerability Exposes Internal IP Addressing
CVE-2026-27624

7.2HIGH

Key Information:

Vendor

Coturn

Status
Coturn
Vendor
CVE Published:
25 February 2026

What is CVE-2026-27624?

Coturn, an open-source implementation of TURN and STUN Server, has a security vulnerability related to the improper handling of IPv4-mapped IPv6 addresses. Specifically, when configured to block certain IP ranges via 'denied-peer-ip', the server fails to adequately verify these addresses when they use the 'XOR-PEER-ADDRESS' value of '::ffff:127.0.0.1'. This oversight allows unauthorized access despite configured restrictions, making it necessary for users to upgrade to version 4.9.0 or later, which addresses the lapses discovered in previous fixes. The issue emphasizes the importance of comprehensive IP range validation in ensuring network security.

Affected Version(s)

coturn < 4.9.0

References

https://github.com/coturn/coturn/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/coturn/coturn/security/advisories/GHSA...
x_refsource_MISC
https://github.com/coturn/coturn/commit/b80eb898ba2655260...
x_refsource_MISC

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.