Upstream information

CVE-2026-53450 at MITRE

Description

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is enabled, but the default loopback guard can be bypassed by using the IPv4-mapped IPv6 peer address ::ffff:127.0.0.1 in a TURN XOR-PEER-ADDRESS attribute. ioa_addr_is_loopback checks for the literal IPv6 loopback shape before IPv4-mapped IPv6 handling, so good_peer_addr does not apply the default loopback rejection and an authenticated TURN client can expose services bound only to localhost on the coturn host through TURN relay traffic. This issue is fixed in version 4.13.0.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

CVSS v3 Scores
CVSS detail CNA (GitHub) SUSE
Base Score 7.4 7.4
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector Network Network
Attack Complexity Low Low
Privileges Required Low Low
User Interaction None None
Scope Changed Changed
Confidentiality Impact Low Low
Integrity Impact Low Low
Availability Impact Low Low
CVSSv3 Version 3.1 3.1
CVSS v4 Scores
CVSS detail SUSE
Base Score 5.3
Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required Low
User Interaction None
Vulnerable System Confidentiality Impact Low
Vulnerable System Integrity Impact Low
Vulnerable System Availability Impact Low
Subsequent System Confidentiality Impact None
Subsequent System Integrity Impact None
Subsequent System Availability Impact None
CVSSv4 Version 4.0
SUSE Bugzilla entry: 1271325 [NEW]

No SUSE Security Announcements cross referenced.


SUSE Timeline for this CVE

CVE page created: Mon Jul 13 15:29:20 2026
CVE page last modified: Mon Jul 13 19:32:07 2026