Cyber Resilience

CVE-2026-27624

HighPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0005 17.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27624 is a high-severity Improper Access Control (CWE-284) vulnerability in Coturn Project Coturn. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-27624 is a vulnerability in Coturn, a free open source implementation of TURN and STUN servers, affecting versions prior to 4.9.0. It enables a bypass of loopback and internal IP range restrictions configured via "denied-peer-ip" or default settings. Specifically, an attacker can send a CreatePermission or ChannelBind request with the XOR-PEER-ADDRESS set to the IPv4-mapped IPv6 address "::ffff:127.0.0.1", receiving a successful response despite blocks on 127.0.0.0/8. This stems from three functions in src/client/ns_turn_ioaddr.c—ioa_addr_is_loopback(), ioa_addr_is_zero(), and addr_less_eq()—failing to check for IN6_IS_ADDR_V4MAPPED addresses, allowing evasion of checks for 127.x.x.x, ::1, 0.0.0.0, and :: as previously addressed in CVE-2020-26262. The issue is rated CVSS 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and maps to CWE-284 and CWE-441.

The vulnerability can be exploited by any unauthenticated network attacker (PR:N) with access to the Coturn server. By crafting requests with IPv4-mapped IPv6 peer addresses, they bypass denied-peer-ip restrictions and loopback checks, potentially permitting unauthorized permission creation or channel binding to internal or loopback addresses. This leads to low-level confidentiality and integrity impacts (C:L/I:L) with changed scope (S:C), such as limited data exposure or modification in TURN/STUN relay contexts.

Mitigation requires updating to Coturn version 4.9.0, which includes an updated fix in src/client/ns_turn_ioaddr.c to properly handle IN6_IS_ADDR_V4MAPPED checks and address the bypass of CVE-2020-26262. Relevant advisories and the fixing commit are detailed in GitHub security advisories GHSA-6g6j-r9rf-cm7p and GHSA-j8mm-mpf8-gvjg, along with commit b80eb898ba26552600770162c26a8ae7f3661b0b.

EU & UK References

Vulnerability details

Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is…

more

not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1090 Proxy Command And Control
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.
T1090.001 Internal Proxy Command And Control
Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment.
T1572 Protocol Tunneling Command And Control
Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems.
Why these techniques?

CVE enables unauthenticated exploitation of public-facing Coturn TURN/STUN server (T1190) via crafted CreatePermission/ChannelBind requests; bypass of denied-peer-ip/loopback checks directly facilitates abuse as an internal proxy/relay (T1090/T1090.001) and protocol tunneling to otherwise restricted internal/loopback addresses (T1572).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40613Same product: Coturn Project Coturn
CVE-2026-39339Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-26010Shared CWE-284
CVE-2026-34291Shared CWE-284
CVE-2023-47539Shared CWE-284
CVE-2026-23899Shared CWE-284
CVE-2025-7016Shared CWE-284
CVE-2026-46822Shared CWE-284
CVE-2024-37566Shared CWE-284

Affected Assets

coturn project
coturn
≤ 4.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces denied-peer-ip and loopback restrictions on CreatePermission/ChannelBind requests; the CVE is a failure of this enforcement for IPv4-mapped IPv6 addresses.

prevent

Enforces information-flow policy that blocks relay permissions to internal/loopback peers; the bypass via ::ffff:127.0.0.1 evades the flow-control checks in ns_turn_ioaddr.c.

prevent

Requires validation and normalization of network address inputs; the three affected functions omit IN6_IS_ADDR_V4MAPPED checks, allowing crafted XOR-PEER-ADDRESS values to bypass policy.

References