Coturn Project Coturn vulnerabilities

CVE-2026-27624 [MEDIUM] CVE-2026-27624: Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured t Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind

CVE-2020-26262 [HIGH] CWE-441 CVE-2020-26262: Coturn is free open source implementation of TURN and STUN Server. Coturn before version 4.5.2 by de Coturn is free open source implementation of TURN and STUN Server. Coturn before version 4.5.2 by default does not allow peers to connect and relay packets to loopback addresses in the range of `127.x.x.x`. However, it was observed that when sending a `CONNECT` request with the `XOR-PEER-ADDRESS` value of `0.0.0.0`, a successful response was received

CVE-2020-4067 [HIGH] CWE-665 CVE-2020-4067: In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initial In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. There is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client. This

CVE-2020-6061 [CRITICAL] CWE-125 CVE-2020-6061: An exploitable heap out-of-bounds read vulnerability exists in the way CoTURN 4.5.1.1 web server par An exploitable heap out-of-bounds read vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability.

CVE-2020-6062 [HIGH] CWE-476 CVE-2020-6062: An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses PO An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability.

CVE-2018-4059 [CRITICAL] CWE-862 CVE-2018-4059: An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTU An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTURN prior to version 4.5.0.9. By default, the TURN server runs an unauthenticated telnet admin portal on the loopback interface. This can provide administrator access to the TURN server configuration, which can lead to additional attacks. An attacker w

CVE-2018-4058 [HIGH] CVE-2018-4058: An exploitable unsafe default configuration vulnerability exists in the TURN server functionality of An exploitable unsafe default configuration vulnerability exists in the TURN server functionality of coTURN prior to 4.5.0.9. By default, the TURN server allows relaying external traffic to the loopback interface of its own host. This can provide access to other private services running on that host, which can lead to further attacks. An attacker can set up a r

CVE-2018-4056 [CRITICAL] CWE-89 CVE-2018-4056: An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 4.5.0.9. A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass, which could give access to the TURN server administrator web portal. An attacker can log in via the external in