PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53450 coturn CVE debrief

The Coturn implementation of TURN and STUN Server is vulnerable to a loopback bypass issue. Prior to version 4.13.0, the default loopback guard can be circumvented by using the IPv4-mapped IPv6 peer address ::ffff:127.0.0.1 in a TURN XOR-PEER-ADDRESS attribute. This allows an authenticated TURN client to expose services bound only to localhost on the Coturn host through TURN relay traffic. The vulnerability has been addressed in Coturn version 4.13.0. This issue affects Coturn servers with services bound to localhost, potentially exposing them to unauthorized access through TURN relay traffic.

Vendor
coturn
Product
Unknown
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators and users of Coturn TURN and STUN Server instances, particularly those with services bound to localhost that should not be exposed through TURN relay traffic, should be aware of this vulnerability. Operators of Coturn servers, especially those with sensitive services running on localhost, need to assess their exposure and take necessary actions. Vulnerability management and security teams should prioritize updating Coturn to version 4.13.0 or later and restrict access to Coturn services to only necessary parties.

Technical summary

The Coturn server, prior to version 4.13.0, has a vulnerability that allows an authenticated TURN client to bypass the default loopback protection. This is achieved by using the IPv4-mapped IPv6 address ::ffff:127.0.0.1 in the TURN XOR-PEER-ADDRESS attribute. The ioa_addr_is_loopback function checks for the literal IPv6 loopback shape before handling IPv4-mapped IPv6 addresses, which allows the bypass. This vulnerability can be used to expose services bound to localhost on the Coturn host through TURN relay traffic. The issue is fixed in Coturn version 4.13.0.

Defensive priority

High

Recommended defensive actions

  • Update Coturn to version 4.13.0 or later
  • Restrict access to Coturn services to only necessary parties
  • Monitor Coturn logs for suspicious activity
  • Consider implementing additional security measures such as authentication and authorization for TURN clients
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The vulnerability is fixed in Coturn version 4.13.0. The issue was reported and addressed through the GitHub security advisory process. Evidence of the vulnerability's existence and impact is limited, and defenders should verify the affected scope and severity. Coturn's default loopback guard can be bypassed, allowing an authenticated TURN client to expose services bound only to localhost on the Coturn host through TURN relay traffic. Further review of system logs and network traffic is recommended to detect potential exploitation attempts.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T19:17:24.193Z and has not been modified since then.