Path traversal in coTURN - CVE-2026-53449
Published: June 30, 2026
coTURN
Detailed vulnerability description
The vulnerability allows a local privileged user to overwrite arbitrary files writable by the coturn process.
The vulnerability exists due to improper path validation in the psd CLI command handler when processing a user-supplied filename argument. A local privileged user can supply a crafted file path to overwrite arbitrary files writable by the coturn process.
The written content consists of session dump data, and an attacker can influence portions of that content by creating TURN allocations with crafted usernames.