CVE-2020-26262 — Confused Deputy in Coturn

CWE-441 — Confused Deputy CWE-682 — Incorrect Calculation CWE-284 — Improper Access Control10 documents6 sources

Severity

7.2HIGHNVD

NVD6.5

EPSS

0.3%

top 43.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Coturn Coturn Project Coturn Fedoraproject Fedora

Timeline

PublishedJan 13

Latest updateFeb 25

Description

Coturn is free open source implementation of TURN and STUN Server. Coturn before version 4.5.2 by default does not allow peers to connect and relay packets to loopback addresses in the range of `127.x.x.x`. However, it was observed that when sending a `CONNECT` request with the `XOR-PEER-ADDRESS` value of `0.0.0.0`, a successful response was received and subsequently, `CONNECTIONBIND` also received a successful response. Coturn then is able to relay packets to the loopback interface. Additionall…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5coturn/coturn< 4.9.0+1

▶NVDcoturn_project/coturn< 4.5.2+1

▶Debiancoturn_project/coturn< 4.5.2-1+3

Also affects: Fedora 32, 33

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-27624: Coturn is a free open source implementation of TURN and STUN Server↗2026-02-25

▶

CVEList

Coturn: IPv4-mapped IPv6 (::ffff:0:0/96) bypasses denied-peer-ip ACL↗2026-02-25

▶

OSV

CVE-2020-26262: Coturn is free open source implementation of TURN and STUN Server↗2021-01-13

▶

CVEList

Loopback bypass in Coturn↗2021-01-13

▶

📋Vendor Advisories

Debian

CVE-2026-27624: coturn - Coturn is a free open source implementation of TURN and STUN Server. Coturn is c...↗2026

▶

Ubuntu

coTURN vulnerability↗2021-01-11

▶

Debian

CVE-2020-26262: coturn - Coturn is free open source implementation of TURN and STUN Server. Coturn before...↗2020

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27624 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶