Description
Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.
Published: 2026-02-25
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Access Control Bypass
Action: Immediate Patch
AI Analysis

Impact

coturn, a TURN/STUN server, allows attackers to circumvent configured IP blocks by using IPv4‑mapped IPv6 addresses in CreatePermission or ChannelBind requests. A request with XOR‑PEER‑ADDRESS set to "::ffff:127.0.0.1" receives a successful response even though 127.0.0.0/8 is listed in denied‑peer‑ip. The flaw stems from missing IPv4‑mapped checks in address‑validation functions, enabling unauthorized peer connections.

Affected Systems

coturn installed from the coturn project, versions prior to 4.9.0 are affected. The issue applies to all builds that rely on the ns_turn_ioaddr.c address handling, regardless of operating system or deployment model. Administrators must verify whether they are using a version earlier than 4.9.0 and whether denied‑peer‑ip ACLs are configured.

Risk and Exploitability

With a CVSS score of 7.2, the vulnerability poses a significant authorization breach risk; however, the EPSS score of less than 1% suggests that exploits are currently scarce. Because the flaw is triggered by a network‑based TURN request, attackers must be able to reach the server, making it exploitable over public or internal networks. The absence of a KEV listing indicates no widespread active exploitation yet, but the control bypass remains critical for environments that rely on denied‑peer‑ip to restrict local or private traffic.

Generated by OpenCVE AI on April 17, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade coturn to version 4.9.0 or newer to apply the address‑validation fix.
  • Review and enforce denied‑peer‑ip ACLs to confirm they exclude all IPv4‑mapped equivalents of internal addresses.
  • Implement network monitoring to detect unauthorized TURN connections that may bypass ACLs.

Generated by OpenCVE AI on April 17, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Coturn Project
Coturn Project coturn
CPEs cpe:2.3:a:coturn_project:coturn:*:*:*:*:*:*:*:*
Vendors & Products Coturn Project
Coturn Project coturn

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Coturn
Coturn coturn
Vendors & Products Coturn
Coturn coturn

Wed, 25 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.
Title Coturn: IPv4-mapped IPv6 (::ffff:0:0/96) bypasses denied-peer-ip ACL
Weaknesses CWE-284
CWE-441
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Coturn Coturn
Coturn Project Coturn
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T15:09:21.716Z

Reserved: 2026-02-20T22:02:30.027Z

Link: CVE-2026-27624

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T05:17:25.380

Modified: 2026-02-27T18:04:29.457

Link: CVE-2026-27624

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:30:06Z

Weaknesses