CVE-2026-53450
Undergoing Analysis Undergoing Analysis - In Progress

Loopback Bypass in Coturn TURN/STUN Server

Vulnerability report for CVE-2026-53450, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is enabled, but the default loopback guard can be bypassed by using the IPv4-mapped IPv6 peer address ::ffff:127.0.0.1 in a TURN XOR-PEER-ADDRESS attribute. ioa_addr_is_loopback checks for the literal IPv6 loopback shape before IPv4-mapped IPv6 handling, so good_peer_addr does not apply the default loopback rejection and an authenticated TURN client can expose services bound only to localhost on the coturn host through TURN relay traffic. This issue is fixed in version 4.13.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
coturn coturn to 4.12.0|start_including=4.13.0 (inc)
coturn coturn 4.13.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated attacker to bypass loopback peer restrictions and potentially expose services bound only to localhost on the coturn host through TURN relay traffic.

Such unauthorized exposure of internal services could lead to unauthorized access to sensitive data or systems, which may impact compliance with data protection regulations like GDPR or HIPAA that require strict access controls and protection of personal or sensitive information.

Therefore, exploitation of this vulnerability could undermine the security controls necessary to meet these regulatory requirements, increasing the risk of data breaches or unauthorized data exposure.

Executive Summary

CVE-2026-53450 is a vulnerability in coturn, an open source TURN server implementation. The issue arises because coturn's function that checks for loopback addresses does not correctly identify IPv4-mapped IPv6 loopback addresses like ::ffff:127.0.0.1. While coturn normally rejects loopback peers by default, this check can be bypassed by using the IPv4-mapped IPv6 format, allowing an authenticated TURN client to bypass the default loopback rejection.

This means that services bound only to localhost on the coturn host can be exposed through TURN relay traffic, which should normally be protected. The vulnerability is fixed in coturn version 4.13.0 by reordering the address checks to properly detect IPv4-mapped IPv6 loopback addresses.

Impact Analysis

This vulnerability allows an authenticated attacker to bypass coturn's default security control that rejects loopback peers. By exploiting the incorrect loopback address check, the attacker can access services that are bound only to localhost on the coturn host through TURN relay traffic.

The impact includes potential unauthorized exposure of local services, which could lead to information disclosure, integrity compromise, or availability issues on the affected host. The CVSS score of 7.4 indicates a high severity with low attack complexity and no user interaction required.

Detection Guidance

This vulnerability involves an authenticated TURN client bypassing loopback peer restrictions by using an IPv4-mapped IPv6 address (::ffff:127.0.0.1) in TURN XOR-PEER-ADDRESS attributes. Detection would involve monitoring TURN server traffic for such peer addresses that use IPv4-mapped IPv6 loopback addresses.

Commands to detect this might include inspecting TURN relay traffic or logs for peer addresses encoded as ::ffff:127.0.0.1 or similar IPv4-mapped IPv6 loopback addresses.

  • Use packet capture tools like tcpdump or Wireshark to filter TURN traffic and look for XOR-PEER-ADDRESS attributes containing ::ffff:127.0.0.1.
  • Example tcpdump command: tcpdump -i <interface> -nn -s0 -v udp port <coturn_port> and 'udp[<offset>:4] = 0x3a3a6666' (to filter for ::ffff prefix in TURN packets, adjusting offset as needed).
  • Review coturn server logs for authenticated clients using peer addresses with IPv4-mapped IPv6 loopback addresses.
Mitigation Strategies

The primary mitigation is to upgrade coturn to version 4.13.0 or later, where the vulnerability is fixed by correctly handling IPv4-mapped IPv6 loopback addresses.

Until the upgrade can be applied, consider restricting authenticated TURN clients' ability to specify peer addresses or disable TURN relay functionality if not needed.

Review and tighten access controls on coturn to limit authenticated clients and monitor for suspicious peer address usage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53450. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart