CVE-2026-27624 – This vulnerability allows attackers to bypass C... (How to Fix)

Q: What is the severity of CVE-2026-27624?

CVE-2026-27624 has a CVSS score of 7.2 (HIGH). This vulnerability allows attackers to bypass Coturn's IP address restrictions by using IPv4-mapped IPv6 addresses. Attackers can send CreatePermission or ChannelBind requests with addresses like ::ffff:127.0.0.1 to access blocked loopback/internal ranges. This affects Coturn servers configured with denied-peer-ip restrictions.

📋 TL;DR

This vulnerability allows attackers to bypass Coturn's IP address restrictions by using IPv4-mapped IPv6 addresses. Attackers can send CreatePermission or ChannelBind requests with addresses like ::ffff:127.0.0.1 to access blocked loopback/internal ranges. This affects Coturn servers configured with denied-peer-ip restrictions.

💻 Affected Systems

Products:

Coturn TURN/STUN Server

Versions: All versions before 4.9.0

Operating Systems: All platforms running Coturn

Default Config Vulnerable: ✅ No

Notes: Only affects systems using denied-peer-ip configuration to block specific IP ranges. Default configurations without these restrictions are not vulnerable.

📦 What is this software?

Coturn by Coturn Project

View all CVEs affecting Coturn →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers bypass network segmentation controls and access internal services, potentially leading to lateral movement, data exfiltration, or service disruption.

🟠

Likely Case

Unauthorized access to internal network resources that should be blocked by Coturn's IP restrictions.

🟢

If Mitigated

Limited impact if proper network segmentation and additional firewall rules are in place beyond Coturn's controls.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted STUN/TURN packets but no authentication is needed. The technique is documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.0 and later

Vendor Advisory: https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p

Restart Required: Yes

Instructions:

1. Download Coturn 4.9.0 or later from official repository. 2. Stop the Coturn service. 3. Install the updated version. 4. Restart the Coturn service. 5. Verify the fix is applied.

🔧 Temporary Workarounds

Network firewall restrictions

all

Implement network-level firewall rules to block unauthorized access to internal ranges, independent of Coturn's controls.

Disable IPv6 support

linux

Configure Coturn to only use IPv4 if IPv6 functionality is not required.

Add 'no-udp' and 'no-tcp' to coturn configuration if IPv6 is not needed

🧯 If You Can't Patch

Implement strict network segmentation with firewall rules that block all unauthorized access to internal IP ranges
Monitor network traffic for suspicious STUN/TURN packets containing IPv4-mapped IPv6 addresses

🔍 How to Verify

Check if Vulnerable:

Check Coturn version and configuration. If version < 4.9.0 and using denied-peer-ip restrictions, the system is vulnerable.

Check Version:

turnserver --version

Verify Fix Applied:

After upgrading to 4.9.0+, test that CreatePermission/ChannelBind requests with ::ffff:127.0.0.1 are properly rejected.

📡 Detection & Monitoring

Log Indicators:

Successful CreatePermission/ChannelBind responses for blocked IP ranges
STUN/TURN requests containing IPv4-mapped IPv6 addresses

Network Indicators:

STUN/TURN packets with XOR-PEER-ADDRESS containing ::ffff:127.x.x.x patterns
Unauthorized traffic to internal IP ranges from Coturn server

SIEM Query:

source="coturn.log" AND ("CreatePermission" OR "ChannelBind") AND ("::ffff:127" OR "IPv4-mapped")

📊 Metadata

CVE ID: CVE-2026-27624

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-284

Published: February 25, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/coturn/coturn/commit/b80eb898ba26552600770162c26a8ae7f3661b0b Patch
https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p Not Applicable
https://github.com/coturn/coturn/security/advisories/GHSA-j8mm-mpf8-gvjg Exploit,Vendor Advisory
https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p Not Applicable
https://github.com/coturn/coturn/security/advisories/GHSA-j8mm-mpf8-gvjg Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27624, you might also want to check these: