CVE-2026-53448

STUN · coturn

The coturn TURN and STUN server contains an SQL injection vulnerability that can be exploited by high-privileged authenticated users to compromise the backend database.

Executive summary

An SQL injection vulnerability in the coturn STUN/TURN server allows high-privileged authenticated attackers to manipulate backend database queries.

Vulnerability

This vulnerability is an SQL Injection (CWE-89) arising from the improper neutralization of special elements within database queries. An attacker with high privileges can manipulate database interactions, potentially leading to unauthorized data access or modification.

Business impact

The CVSS score of 7.2 (High) reflects the critical nature of database-level access. Unauthorized control over the STUN/TURN server database could lead to the exposure of authentication credentials, service configuration tampering, or complete compromise of the communication infrastructure.

Remediation

Immediate Action: Upgrade to coturn version 4.12.0 or higher immediately.

Proactive Monitoring: Monitor database query logs for suspicious patterns, such as unexpected SQL syntax or unauthorized access attempts from administrative accounts.

Compensating Controls: Ensure strict access control lists (ACLs) are enforced for administrative interfaces and utilize database-level monitoring to detect and block anomalous query execution.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Due to the existence of a proof-of-concept and the high technical impact, this update should be treated with urgency. Security teams must ensure that coturn instances are updated to version 4.12.0 to remediate the SQL injection flaw.