{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27624", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T22:02:30.027Z", "datePublished": "2026-02-25T04:04:17.009Z", "dateUpdated": "2026-02-25T15:09:21.716Z"}, "containers": {"cna": {"title": "Coturn: IPv4-mapped IPv6 (::ffff:0:0/96) bypasses denied-peer-ip ACL", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-441", "lang": "en", "description": "CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/coturn/coturn/security/advisories/GHSA-j8mm-mpf8-gvjg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/coturn/coturn/security/advisories/GHSA-j8mm-mpf8-gvjg"}, {"name": "https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p", "tags": ["x_refsource_MISC"], "url": "https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p"}, {"name": "https://github.com/coturn/coturn/commit/b80eb898ba26552600770162c26a8ae7f3661b0b", "tags": ["x_refsource_MISC"], "url": "https://github.com/coturn/coturn/commit/b80eb898ba26552600770162c26a8ae7f3661b0b"}], "affected": [{"vendor": "coturn", "product": "coturn", "versions": [{"version": "< 4.9.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T04:04:17.009Z"}, "descriptions": [{"lang": "en", "value": "Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using \"denied-peer-ip\" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving \"0.0.0.0\", \"[::1]\" and \"[::]\", but IPv4-mapped IPv6 is not covered. When sending a \"CreatePermission\" or \"ChannelBind\" request with the \"XOR-PEER-ADDRESS\" value of \"::ffff:127.0.0.1\", a successful response is received, even though \"127.0.0.0/8\" is blocked via \"denied-peer-ip\". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in \"src/client/ns_turn_ioaddr.c\" do not check \"IN6_IS_ADDR_V4MAPPED\". \"ioa_addr_is_loopback()\" checks \"127.x.x.x\" (AF_INET) and \"::1\" (AF_INET6), but not \"::ffff:127.0.0.1.\" \"ioa_addr_is_zero()\" checks \"0.0.0.0\" and \"::\", but not \"::ffff:0.0.0.0.\" \"addr_less_eq()\" used by \"ioa_addr_in_range()\" for \"denied-peer-ip\" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262."}], "source": {"advisory": "GHSA-j8mm-mpf8-gvjg", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p", "tags": ["exploit"]}, {"url": "https://github.com/coturn/coturn/security/advisories/GHSA-j8mm-mpf8-gvjg", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T15:09:17.451722Z", "id": "CVE-2026-27624", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T15:09:21.716Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:coturn_project:coturn:*:*:*:*:*:*:*:*", "matchCriteriaId": "5C4DE18B-B9AA-4314-B584-7BA316D5D7DB", "versionEndExcluding": "4.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using \"denied-peer-ip\" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving \"0.0.0.0\", \"[::1]\" and \"[::]\", but IPv4-mapped IPv6 is not covered. When sending a \"CreatePermission\" or \"ChannelBind\" request with the \"XOR-PEER-ADDRESS\" value of \"::ffff:127.0.0.1\", a successful response is received, even though \"127.0.0.0/8\" is blocked via \"denied-peer-ip\". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in \"src/client/ns_turn_ioaddr.c\" do not check \"IN6_IS_ADDR_V4MAPPED\". \"ioa_addr_is_loopback()\" checks \"127.x.x.x\" (AF_INET) and \"::1\" (AF_INET6), but not \"::ffff:127.0.0.1.\" \"ioa_addr_is_zero()\" checks \"0.0.0.0\" and \"::\", but not \"::ffff:0.0.0.0.\" \"addr_less_eq()\" used by \"ioa_addr_in_range()\" for \"denied-peer-ip\" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262."}, {"lang": "es", "value": "Coturn es una implementaci\u00f3n de c\u00f3digo abierto gratuita de servidor TURN y STUN. Coturn se configura com\u00fanmente para bloquear rangos de loopback e internos usando 'denied-peer-ip' y/o restricciones de loopback predeterminadas. CVE-2020-26262 abord\u00f3 evasiones que involucran '0.0.0.0', '[::1]' y '[::]', pero IPv6 mapeado a IPv4 no est\u00e1 cubierto. Al enviar una solicitud 'CreatePermission' o 'ChannelBind' con el valor 'XOR-PEER-ADDRESS' de '::ffff:127.0.0.1', se recibe una respuesta exitosa, aunque '127.0.0.0/8' est\u00e1 bloqueado a trav\u00e9s de 'denied-peer-ip'. La causa ra\u00edz es que, antes de la correcci\u00f3n actualizada implementada en la versi\u00f3n 4.9.0, tres funciones en 'src/client/ns_turn_ioaddr.c' no verifican 'IN6_IS_ADDR_V4MAPPED'. 'ioa_addr_is_loopback()' verifica '127.x.x.x' (AF_INET) y '::1' (AF_INET6), pero no '::ffff:127.0.0.1'. 'ioa_addr_is_zero()' verifica '0.0.0.0' y '::', pero no '::ffff:0.0.0.0'. 'addr_less_eq()' utilizada por 'ioa_addr_in_range()' para la coincidencia de 'denied-peer-ip': cuando el rango es AF_INET y el par es AF_INET6, la comparaci\u00f3n devuelve 0 sin extraer el IPv4 incrustado. La versi\u00f3n 4.9.0 contiene una correcci\u00f3n actualizada para abordar la evasi\u00f3n de la correcci\u00f3n para CVE-2020-26262."}], "id": "CVE-2026-27624", "lastModified": "2026-02-27T18:04:29.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-25T05:17:25.380", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/coturn/coturn/commit/b80eb898ba26552600770162c26a8ae7f3661b0b"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/coturn/coturn/security/advisories/GHSA-j8mm-mpf8-gvjg"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Not Applicable"], "url": "https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/coturn/coturn/security/advisories/GHSA-j8mm-mpf8-gvjg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-441"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.9.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "coturn", "source": "cna", "vendor": "coturn"}, "product": "coturn", "vendor": "coturn"}], "analysis": {"en": {"generated_at": "2026-04-17T15:25:36.835373+00:00", "value": {"mitigation_remediation": ["Upgrade coturn to version 4.9.0 or newer to apply the address\u2011validation fix.", "Review and enforce denied\u2011peer\u2011ip ACLs to confirm they exclude all IPv4\u2011mapped equivalents of internal addresses.", "Implement network monitoring to detect unauthorized TURN connections that may bypass ACLs."], "summary": {"action": "Immediate Patch", "impact": "Access Control Bypass"}, "threat_synthesis": {"affected_systems": "coturn installed from the coturn project, versions prior to 4.9.0 are affected. The issue applies to all builds that rely on the ns_turn_ioaddr.c address handling, regardless of operating system or deployment model. Administrators must verify whether they are using a version earlier than 4.9.0 and whether denied\u2011peer\u2011ip ACLs are configured.", "description_and_impact": "coturn, a TURN/STUN server, allows attackers to circumvent configured IP blocks by using IPv4\u2011mapped IPv6 addresses in CreatePermission or ChannelBind requests. A request with XOR\u2011PEER\u2011ADDRESS set to \"::ffff:127.0.0.1\" receives a successful response even though 127.0.0.0/8 is listed in denied\u2011peer\u2011ip. The flaw stems from missing IPv4\u2011mapped checks in address\u2011validation functions, enabling unauthorized peer connections.", "risk_and_exploitability": "With a CVSS score of 7.2, the vulnerability poses a significant authorization breach risk; however, the EPSS score of less than 1% suggests that exploits are currently scarce. Because the flaw is triggered by a network\u2011based TURN request, attackers must be able to reach the server, making it exploitable over public or internal networks. The absence of a KEV listing indicates no widespread active exploitation yet, but the control bypass remains critical for environments that rely on denied\u2011peer\u2011ip to restrict local or private traffic."}}}}, "created": "2026-02-25T11:34:38.353504+00:00", "updated": "2026-04-17T15:30:06.032723+00:00", "vendors": ["coturn", "coturn$PRODUCT$coturn"]}