Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, the psd print sessions dump CLI command in coturn takes a filename argument and directly passes it to fopen with no path validation. An authenticated admin with CLI access can overwrite arbitrary files writable by the coturn process because the command string is used as-is after stripping the psd prefix and leading spaces, allowing truncation and overwrite with session dump data. This issue is fixed in version 4.13.0.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Fri, 10 Jul 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Coturn
Coturn coturn |
|
| Vendors & Products |
Coturn
Coturn coturn |
Fri, 10 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, the psd print sessions dump CLI command in coturn takes a filename argument and directly passes it to fopen with no path validation. An authenticated admin with CLI access can overwrite arbitrary files writable by the coturn process because the command string is used as-is after stripping the psd prefix and leading spaces, allowing truncation and overwrite with session dump data. This issue is fixed in version 4.13.0. | |
| Title | Coturn: Arbitrary File Write via CLI psd Command | |
| Weaknesses | CWE-73 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-10T18:01:58.395Z
Reserved: 2026-06-09T16:31:21.494Z
Link: CVE-2026-53449
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T19:30:04Z
Weaknesses