<Vulnerability name="CVE-2026-53449">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-10T17:59:11</PublicDate>
    <Bugzilla id="2499139" url="https://bugzilla.redhat.com/show_bug.cgi?id=2499139" xml:lang="en:us">
coturn: Coturn: Arbitrary file overwrite via CLI command
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>6.0</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-22</CWE>
    <Details xml:lang="en:us" source="Mitre">
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, the psd print sessions dump CLI command in coturn takes a filename argument and directly passes it to fopen with no path validation. An authenticated admin with CLI access can overwrite arbitrary files writable by the coturn process because the command string is used as-is after stripping the psd prefix and leading spaces, allowing truncation and overwrite with session dump data. This issue is fixed in version 4.13.0.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Coturn, an open-source TURN and STUN server. An authenticated administrator with command-line interface (CLI) access could exploit a vulnerability in the `psd print sessions dump` command. This flaw allows the administrator to overwrite arbitrary files on the system that are writable by the Coturn process, potentially leading to data corruption or denial of service.
    </Details>
    <Statement xml:lang="en:us">
This flaw affects the community-maintained coturn TURN/STUN server as shipped in Fedora and EPEL. Red Hat does not ship coturn in any core Red Hat product. Fedora and EPEL currently ship coturn 4.14.0, which already includes the fix released in 4.13.0, so the shipped builds are not vulnerable to this arbitrary file overwrite via the CLI psd command.
    </Statement>
    <Mitigation xml:lang="en:us">
No action needed — the shipped coturn build (4.14.0) already contains the upstream fix.
    </Mitigation>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-53449
https://nvd.nist.gov/vuln/detail/CVE-2026-53449
https://github.com/coturn/coturn/commit/e72930f571beba3bc7a9f97661af2614aae92a55
https://github.com/coturn/coturn/releases/tag/4.13.0
https://github.com/coturn/coturn/security/advisories/GHSA-jj76-vwjw-w34r
    </References>
</Vulnerability>