CVE-2026-27624
Published: 25 February 2026
Summary
CVE-2026-27624 is a high-severity Improper Access Control (CWE-284) vulnerability in Coturn Project Coturn. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Enforces separation of domains that reduces the ability to bypass or violate access control boundaries.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.
Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.
By automatically labeling outputs with security attributes, the control supports attribute-based enforcement and reduces exploitability of improper access control weaknesses.
Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.
Requiring prior authorization for each remote access type prevents improper access control over remote connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated exploitation of public-facing Coturn TURN/STUN server (T1190) via crafted CreatePermission/ChannelBind requests; bypass of denied-peer-ip/loopback checks directly facilitates abuse as an internal proxy/relay (T1090/T1090.001) and protocol tunneling to otherwise restricted internal/loopback addresses (T1572).
NVD Description
Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is…
more
not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.
Deeper analysisAI
CVE-2026-27624 is a vulnerability in Coturn, a free open source implementation of TURN and STUN servers, affecting versions prior to 4.9.0. It enables a bypass of loopback and internal IP range restrictions configured via "denied-peer-ip" or default settings. Specifically, an attacker can send a CreatePermission or ChannelBind request with the XOR-PEER-ADDRESS set to the IPv4-mapped IPv6 address "::ffff:127.0.0.1", receiving a successful response despite blocks on 127.0.0.0/8. This stems from three functions in src/client/ns_turn_ioaddr.c—ioa_addr_is_loopback(), ioa_addr_is_zero(), and addr_less_eq()—failing to check for IN6_IS_ADDR_V4MAPPED addresses, allowing evasion of checks for 127.x.x.x, ::1, 0.0.0.0, and :: as previously addressed in CVE-2020-26262. The issue is rated CVSS 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and maps to CWE-284 and CWE-441.
The vulnerability can be exploited by any unauthenticated network attacker (PR:N) with access to the Coturn server. By crafting requests with IPv4-mapped IPv6 peer addresses, they bypass denied-peer-ip restrictions and loopback checks, potentially permitting unauthorized permission creation or channel binding to internal or loopback addresses. This leads to low-level confidentiality and integrity impacts (C:L/I:L) with changed scope (S:C), such as limited data exposure or modification in TURN/STUN relay contexts.
Mitigation requires updating to Coturn version 4.9.0, which includes an updated fix in src/client/ns_turn_ioaddr.c to properly handle IN6_IS_ADDR_V4MAPPED checks and address the bypass of CVE-2020-26262. Relevant advisories and the fixing commit are detailed in GitHub security advisories GHSA-6g6j-r9rf-cm7p and GHSA-j8mm-mpf8-gvjg, along with commit b80eb898ba26552600770162c26a8ae7f3661b0b.
Details
- CWE(s)