CVE-2026-53449
Undergoing Analysis Undergoing Analysis - In Progress

Path Traversal in Coturn Server CLI Command

Vulnerability report for CVE-2026-53449, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, the psd print sessions dump CLI command in coturn takes a filename argument and directly passes it to fopen with no path validation. An authenticated admin with CLI access can overwrite arbitrary files writable by the coturn process because the command string is used as-is after stripping the psd prefix and leading spaces, allowing truncation and overwrite with session dump data. This issue is fixed in version 4.13.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
coturn coturn to 4.13.0 (exc)
coturn coturn 4.13.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-53449 allows an authenticated admin with CLI access to overwrite arbitrary files writable by the coturn process, including potentially sensitive configuration files and TLS certificates. This arbitrary file write vulnerability could lead to unauthorized modification or disruption of service, which may impact the confidentiality, integrity, and availability of data handled by the coturn server.

Such impacts could affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system configurations to prevent unauthorized access or data breaches. The ability to overwrite critical files without path validation increases the risk of data integrity violations and service disruptions, potentially leading to non-compliance with these regulations.

Executive Summary

CVE-2026-53449 is a vulnerability in the coturn TURN server prior to version 4.13.0. It involves the 'psd' (print sessions dump) CLI command, which takes a filename argument and passes it directly to the fopen function without any path validation.

An authenticated admin with CLI access can exploit this by specifying arbitrary filenames, allowing them to overwrite any file writable by the coturn process. This can include important files such as configuration files or TLS certificates.

The vulnerability arises because the command string is used as-is after stripping the 'psd' prefix and leading spaces, enabling truncation and overwrite with session dump data. The issue was fixed in version 4.13.0 by removing the 'psd' command entirely and eliminating the file-output functionality.

Impact Analysis

This vulnerability allows an authenticated CLI admin to overwrite arbitrary files writable by the coturn process. This can lead to several impacts:

  • Overwriting configuration files, potentially disrupting service or changing server behavior.
  • Overwriting TLS certificates or other critical files, which could compromise security or cause denial of service.
  • Partial control over the content of overwritten files, which might be used to inject malicious data or disrupt operations.

Overall, exploitation can lead to service disruption and compromise of server integrity.

Detection Guidance

This vulnerability involves the coturn server's CLI command `psd` which allows an authenticated admin to overwrite arbitrary files by specifying a filename argument without path validation.

Detection can focus on monitoring usage of the `psd` command on the coturn server, especially any unusual or unauthorized file write attempts triggered by this command.

Since the vulnerability requires CLI access with admin privileges, checking coturn server logs for `psd` command usage or attempts to write to unexpected files can help detect exploitation.

  • Check coturn CLI command history or logs for usage of the `psd` command.
  • Use system commands to monitor file changes in directories writable by the coturn process, for example:
  • - `lsof -p $(pidof coturn)` to see open files by the coturn process.
  • - `inotifywait` or similar tools to watch for file modifications in coturn writable directories.
  • Review coturn configuration and ensure no unauthorized CLI access is possible.
Mitigation Strategies

The primary mitigation is to upgrade coturn to version 4.13.0 or later, where the vulnerable `psd` command has been removed entirely.

Until the upgrade can be applied, restrict CLI admin access to trusted users only, as exploitation requires authenticated CLI access.

Additionally, monitor and audit CLI usage to detect any attempts to use the `psd` command.

Consider restricting file system permissions so that the coturn process user cannot write to sensitive files or directories.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53449. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart