CVE-2026-53450

Source
https://cve.org/CVERecord?id=CVE-2026-53450
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53450.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53450
Aliases
  • GHSA-w4hf-cr3w-6h79
Downstream
Published
2026-07-10T18:05:06.474Z
Modified
2026-07-15T01:49:20.008893656Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
Summary
Coturn: IPv4-mapped 127.0.0.1 bypasses default loopback peer protection
Details

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is enabled, but the default loopback guard can be bypassed by using the IPv4-mapped IPv6 peer address ::ffff:127.0.0.1 in a TURN XOR-PEER-ADDRESS attribute. ioaaddrisloopback checks for the literal IPv6 loopback shape before IPv4-mapped IPv6 handling, so goodpeer_addr does not apply the default loopback rejection and an authenticated TURN client can expose services bound only to localhost on the coturn host through TURN relay traffic. This issue is fixed in version 4.13.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53450.json",
    "cwe_ids": [
        "CWE-918"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/coturn/coturn

Affected ranges

Type
GIT
Repo
https://github.com/coturn/coturn
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.13.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

4.*
4.10.0
4.11.0
4.12.0
4.4.5.3
4.4.5.4
4.5.0.1
4.5.0.2
4.5.0.3
4.5.0.4
4.5.0.5
4.5.0.6
4.5.0.7
4.5.1.0
4.5.1.1
4.5.1.2
4.5.1.3
4.5.2
4.6.0
4.6.2
4.6.3
4.7.0
4.8.0
4.9.0
docker/4.*
docker/4.10.0-r0
docker/4.10.0-r1
docker/4.11.0-r0
docker/4.12.0-r0
docker/4.5.2-r0
docker/4.5.2-r10
docker/4.5.2-r11
docker/4.5.2-r12
docker/4.5.2-r13
docker/4.5.2-r14
docker/4.5.2-r6
docker/4.5.2-r7
docker/4.5.2-r8
docker/4.5.2-r9
docker/4.6.0-r0
docker/4.6.0-r1
docker/4.6.1-r0
docker/4.6.1-r1
docker/4.6.1-r2
docker/4.6.1-r3
docker/4.6.2-r0
docker/4.6.2-r1
docker/4.6.2-r10
docker/4.6.2-r11
docker/4.6.2-r12
docker/4.6.2-r13
docker/4.6.2-r2
docker/4.6.2-r3
docker/4.6.2-r4
docker/4.6.2-r5
docker/4.6.2-r6
docker/4.6.2-r7
docker/4.6.2-r8
docker/4.6.2-r9
docker/4.6.3-r0
docker/4.6.3-r1
docker/4.6.3-r2
docker/4.6.3-r3
docker/4.7.0-r0
docker/4.7.0-r1
docker/4.7.0-r2
docker/4.7.0-r3
docker/4.7.0-r4
docker/4.8.0-r0
docker/4.8.0-r1
docker/4.9.0-r0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53450.json"