SB2026063045 - Multiple vulnerabilities in coTURN
Published: June 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-53450)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to access localhost-bound services through TURN relay traffic.
The vulnerability exists due to server-side request forgery (SSRF) in the loopback peer protection in good_peer_addr() and ioa_addr_is_loopback() when processing a TURN XOR-PEER-ADDRESS containing the IPv4-mapped IPv6 address ::ffff:127.0.0.1. A remote user can request a permission or channel binding for the mapped loopback address to access localhost-bound services through TURN relay traffic.
The issue affects the default loopback peer guard and does not apply when an explicit denied-peer range covering 127.0.0.0/8 is configured.
2) Path traversal (CVE-ID: CVE-2026-53449)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to overwrite arbitrary files writable by the coturn process.
The vulnerability exists due to improper path validation in the psd CLI command handler when processing a user-supplied filename argument. A local privileged user can supply a crafted file path to overwrite arbitrary files writable by the coturn process.
The written content consists of session dump data, and an attacker can influence portions of that content by creating TURN allocations with crafted usernames.
Remediation
Install update from vendor's website.