CVE-2026-53448
Undergoing Analysis Undergoing Analysis - In Progress

SQL Injection in Coturn Admin Panel

Vulnerability report for CVE-2026-53448, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.12.0, the coturn HTTPS admin panel passes HTTP query parameters directly into SQL queries via snprintf string interpolation without sanitization. The is_secure_string filter that protects the STUN protocol path is not applied to the admin panel's delete-user, delete-secret, and delete-IP operations, so an authenticated admin can inject arbitrary SQL through the du, ds, and dip parameters, gaining full database control and potentially OS-level access via PostgreSQL COPY TO PROGRAM. This issue is fixed in version 4.12.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
coturn coturn to 4.12.0 (exc)
coturn coturn 4.12.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-53448 is a SQL injection vulnerability in the coturn HTTPS admin panel affecting versions 4.12.0 and earlier.

The vulnerability occurs because HTTP query parameters for delete-user, delete-secret, and delete-IP operations are passed directly into SQL queries using snprintf without proper sanitization.

The is_secure_string filter, which protects other parts of the system, is not applied to these admin panel operations, allowing an authenticated admin to inject arbitrary SQL through parameters like du, ds, and dip.

Exploiting this flaw can give the attacker full control over the database and potentially OS-level access via PostgreSQL's COPY TO PROGRAM feature.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP query parameters sent to the coturn HTTPS admin panel, specifically targeting the delete-user (du), delete-secret (ds), and delete-IP (dip) operations. Since exploitation requires authenticated admin access and the --web-admin flag enabled, checking for unusual or malformed parameters in these requests can indicate an attempt to exploit the SQL injection.

Commands to detect exploitation attempts could include inspecting web server logs or capturing HTTP requests to the admin panel for suspicious SQL injection patterns such as payloads containing SQL syntax (e.g., ' OR 1=1--). For example, using grep on logs:

  • grep -iE 'du=|ds=|dip=' /var/log/coturn/access.log
  • grep -iE "du=' OR 1=1--|ds=' OR 1=1--|dip=' OR 1=1--" /var/log/coturn/access.log

Additionally, network traffic capture tools like tcpdump or Wireshark can be used to filter HTTPS admin panel traffic and analyze query parameters for suspicious content.

Impact Analysis

If exploited, this vulnerability allows an authenticated admin to execute arbitrary SQL commands, which can lead to full database control.

An attacker could delete all users or secrets, insert backdoor admin accounts, read any database tables, or execute operating system commands through PostgreSQL.

This could result in severe data loss, unauthorized access, and compromise of the underlying server operating system.

However, exploitation requires valid admin credentials and the --web-admin flag to be enabled, which is disabled by default.

Mitigation Strategies

The immediate mitigation step is to upgrade coturn to version 4.12.0 or later, where this SQL injection vulnerability has been fixed by applying proper input validation using the is_secure_string filter on the admin panel's delete-user, delete-secret, and delete-IP operations.

If upgrading immediately is not possible, ensure that the --web-admin flag is disabled, as it is disabled by default, to prevent access to the vulnerable HTTPS admin panel.

Additionally, restrict access to the admin panel to trusted networks and users only, and monitor admin panel access logs for suspicious activity.

Compliance Impact

The vulnerability allows an authenticated admin to perform SQL injection attacks on the coturn HTTPS admin panel, potentially gaining full database control and OS-level access. This could lead to unauthorized access, modification, or deletion of sensitive data stored in the database.

Such unauthorized access and manipulation of data can result in violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive information, as well as ensuring data integrity and confidentiality.

Therefore, if exploited, this vulnerability could compromise compliance with these regulations by exposing sensitive data to unauthorized parties and failing to maintain required security controls.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53448. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart