{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-27624","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-02-20T22:02:30.027Z","datePublished":"2026-02-25T04:04:17.009Z","dateUpdated":"2026-02-25T15:09:21.716Z"},"containers":{"cna":{"title":"Coturn: IPv4-mapped IPv6 (::ffff:0:0/96) bypasses denied-peer-ip ACL","problemTypes":[{"descriptions":[{"cweId":"CWE-284","lang":"en","description":"CWE-284: Improper Access Control","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-441","lang":"en","description":"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.2,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/coturn/coturn/security/advisories/GHSA-j8mm-mpf8-gvjg","tags":["x_refsource_CONFIRM"],"url":"https://github.com/coturn/coturn/security/advisories/GHSA-j8mm-mpf8-gvjg"},{"name":"https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p","tags":["x_refsource_MISC"],"url":"https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p"},{"name":"https://github.com/coturn/coturn/commit/b80eb898ba26552600770162c26a8ae7f3661b0b","tags":["x_refsource_MISC"],"url":"https://github.com/coturn/coturn/commit/b80eb898ba26552600770162c26a8ae7f3661b0b"}],"affected":[{"vendor":"coturn","product":"coturn","versions":[{"version":"< 4.9.0","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-02-25T04:04:17.009Z"},"descriptions":[{"lang":"en","value":"Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using \"denied-peer-ip\" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving \"0.0.0.0\", \"[::1]\" and \"[::]\", but IPv4-mapped IPv6 is not covered. When sending a \"CreatePermission\" or \"ChannelBind\" request with the \"XOR-PEER-ADDRESS\" value of \"::ffff:127.0.0.1\", a successful response is received, even though \"127.0.0.0/8\" is blocked via \"denied-peer-ip\". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in \"src/client/ns_turn_ioaddr.c\" do not check \"IN6_IS_ADDR_V4MAPPED\". \"ioa_addr_is_loopback()\" checks \"127.x.x.x\" (AF_INET) and \"::1\" (AF_INET6), but not \"::ffff:127.0.0.1.\" \"ioa_addr_is_zero()\" checks \"0.0.0.0\" and \"::\", but not \"::ffff:0.0.0.0.\" \"addr_less_eq()\" used by \"ioa_addr_in_range()\" for \"denied-peer-ip\" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262."}],"source":{"advisory":"GHSA-j8mm-mpf8-gvjg","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p","tags":["exploit"]},{"url":"https://github.com/coturn/coturn/security/advisories/GHSA-j8mm-mpf8-gvjg","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-25T15:09:17.451722Z","id":"CVE-2026-27624","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-25T15:09:21.716Z"}}]}}