CVE-2026-27624
Published: 25 February 2026
Summary
CVE-2026-27624 is a high-severity Improper Access Control (CWE-284) vulnerability in Coturn Project Coturn. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2026-27624 is a vulnerability in Coturn, a free open source implementation of TURN and STUN servers, affecting versions prior to 4.9.0. It enables a bypass of loopback and internal IP range restrictions configured via "denied-peer-ip" or default settings. Specifically, an attacker can send a CreatePermission or ChannelBind request with the XOR-PEER-ADDRESS set to the IPv4-mapped IPv6 address "::ffff:127.0.0.1", receiving a successful response despite blocks on 127.0.0.0/8. This stems from three functions in src/client/ns_turn_ioaddr.c—ioa_addr_is_loopback(), ioa_addr_is_zero(), and addr_less_eq()—failing to check for IN6_IS_ADDR_V4MAPPED addresses, allowing evasion of checks for 127.x.x.x, ::1, 0.0.0.0, and :: as previously addressed in CVE-2020-26262. The issue is rated CVSS 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and maps to CWE-284 and CWE-441.
The vulnerability can be exploited by any unauthenticated network attacker (PR:N) with access to the Coturn server. By crafting requests with IPv4-mapped IPv6 peer addresses, they bypass denied-peer-ip restrictions and loopback checks, potentially permitting unauthorized permission creation or channel binding to internal or loopback addresses. This leads to low-level confidentiality and integrity impacts (C:L/I:L) with changed scope (S:C), such as limited data exposure or modification in TURN/STUN relay contexts.
Mitigation requires updating to Coturn version 4.9.0, which includes an updated fix in src/client/ns_turn_ioaddr.c to properly handle IN6_IS_ADDR_V4MAPPED checks and address the bypass of CVE-2020-26262. Relevant advisories and the fixing commit are detailed in GitHub security advisories GHSA-6g6j-r9rf-cm7p and GHSA-j8mm-mpf8-gvjg, along with commit b80eb898ba26552600770162c26a8ae7f3661b0b.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8620
Vulnerability details
Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is…
more
not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated exploitation of public-facing Coturn TURN/STUN server (T1190) via crafted CreatePermission/ChannelBind requests; bypass of denied-peer-ip/loopback checks directly facilitates abuse as an internal proxy/relay (T1090/T1090.001) and protocol tunneling to otherwise restricted internal/loopback addresses (T1572).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces denied-peer-ip and loopback restrictions on CreatePermission/ChannelBind requests; the CVE is a failure of this enforcement for IPv4-mapped IPv6 addresses.
Enforces information-flow policy that blocks relay permissions to internal/loopback peers; the bypass via ::ffff:127.0.0.1 evades the flow-control checks in ns_turn_ioaddr.c.
Requires validation and normalization of network address inputs; the three affected functions omit IN6_IS_ADDR_V4MAPPED checks, allowing crafted XOR-PEER-ADDRESS values to bypass policy.