CVE-2026-53450
STUN · coturn
Coturn is vulnerable to Server-Side Request Forgery (SSRF) due to improper validation of user-supplied input, allowing for unauthorized internal network requests.
Executive summary
A Server-Side Request Forgery (SSRF) vulnerability in coturn allows authenticated attackers to perform unauthorized requests to internal resources, potentially exposing sensitive infrastructure.
Vulnerability
This vulnerability is a Server-Side Request Forgery (CWE-918) that occurs when the server fails to properly validate input, allowing an authenticated user to force the server to initiate requests to unintended internal destinations.
Business impact
The CVSS score of 7.4 reflects the potential for an attacker to pivot from the coturn service into protected internal network segments. This could lead to information disclosure, unauthorized access to internal APIs, or service disruption, compromising the overall security posture of the network.
Remediation
Immediate Action: Upgrade coturn to version 4.13.0 or later to ensure proper validation of target addresses.
Proactive Monitoring: Inspect network logs for unexpected outbound traffic originating from the coturn server, particularly toward internal RFC1918 address spaces.
Compensating Controls: Restrict the coturn server's network access using egress filtering to prevent it from reaching sensitive internal services or management interfaces.
Exploitation status
Public Exploit Available: No
Analyst recommendation
SSRF vulnerabilities in network infrastructure components like coturn can significantly expand an attacker's reach into internal environments. It is essential to update to version 4.13.0 promptly and ensure that the server is deployed within a segmented network environment to minimize potential impact.