Bug 2499142 (CVE-2026-53448) - CVE-2026-53448 coturn: Coturn: Arbitrary code execution via SQL injection in HTTPS admin panel
Summary: CVE-2026-53448 coturn: Coturn: Arbitrary code execution via SQL injection in ...
Keywords:
Status: NEW
Alias: CVE-2026-53448
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-10 19:02 UTC by OSIDB Bzimport
Modified: 2026-07-10 20:08 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-10 19:02:44 UTC
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.12.0, the coturn HTTPS admin panel passes HTTP query parameters directly into SQL queries via snprintf string interpolation without sanitization. The is_secure_string filter that protects the STUN protocol path is not applied to the admin panel's delete-user, delete-secret, and delete-IP operations, so an authenticated admin can inject arbitrary SQL through the du, ds, and dip parameters, gaining full database control and potentially OS-level access via PostgreSQL COPY TO PROGRAM. This issue is fixed in version 4.12.0.


Note You need to log in before you can comment on or make changes to this bug.