Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2026-27624

Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.

Security Impact Summary

This vulnerability carries a HIGH severity rating with a CVSS v3.1 score of 7.2, indicating it can be exploited remotely over the network with relatively low complexity without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts limited data confidentiality, limited integrity, for affected systems. Impacting 1 product from coturn_project organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2026, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2026-02-25T05:17:25.380

Last Modified

2026-02-27T18:04:29.457

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.2 (HIGH)

Weaknesses

Type: Secondary
CWE-284
CWE-441

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	coturn_project	coturn	< 4.9.0	Yes

References

https://github.com/coturn/coturn/commit/b80eb898ba26552600770162c26a8ae7f3661b0b Patch ([email protected])
https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p Not Applicable ([email protected])
https://github.com/coturn/coturn/security/advisories/GHSA-j8mm-mpf8-gvjg Exploit, Vendor Advisory ([email protected])
https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p Not Applicable (134c704f-9b21-4f2e-91b3-4a467353bcc0)
https://github.com/coturn/coturn/security/advisories/GHSA-j8mm-mpf8-gvjg Exploit, Vendor Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For coturn_project's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.