5 matches found
CVE-2026-53450 Coturn: IPv4-mapped 127.0.0.1 bypasses default loopback peer protection
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is enabled, but the default loopback guard can be bypassed by using the IPv4-mapped IPv6 peer address ::ffff:127.0.0.1 in a TURN...
CVE-2026-41372
Technical details such as affected products, versions, root cause, and remediation are not publicly available in the provided documents. Monitor for updates from NVD, CVE lists, and vendor advisories.
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections
Summary Before OpenClaw 2026.4.2, remote CDP discovery could return a trailing-dot localhost host such as localhost. and bypass OpenClaw's loopback-host normalization. That let a non-loopback remote CDP profile pivot the follow-up connection back onto localhost. Impact A hostile discovery respons...
EUVD-2026-8620
Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "::1" and "::", but IPv4-mapped IPv6 is not...
Debian DLA-2522-1 : coturn security update
A flaw was discovered in coturn, a TURN and STUN server for VoIP. By default coturn does not allow peers on the loopback addresses 127.x.x.x and ::1. A remote attacker can bypass the protection via a specially crafted request using a peer address of '0.0.0.0' and trick coturn in relaying to the...