PatchSiren cyber security CVE debrief
CVE-2026-26978 FreePBX CVE debrief
CVE-2026-26978 affects FreePBX backup restore handling. In affected versions, a crafted tar archive can cause data to be passed into PHP unserialize() without validation, class restrictions, or integrity checks during restore. That can lead to remote code execution as the web server user when an authenticated user with sufficient backup/restore access processes a malicious backup. The issue was published on 2026-05-18 and updated on 2026-05-19; NVD’s record is marked Deferred as of the supplied source metadata.
- Vendor
- FreePBX
- Product
- security-reporting
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-19
Who should care
FreePBX administrators, telephony teams, MSPs, and security responders who allow backup creation or restore operations should prioritize this. It is especially important where restore privileges are broader than normal admin duties, where backups may come from external or less-trusted sources, or where FreePBX web access is exposed to multiple operators.
Technical summary
The vulnerable path is in the backup module’s restore workflow. During restoration, FreePBX extracts selected files from a user-supplied tar archive and reads a malicious file directly into unserialize() without validation. The supplied source describes this as allowing remote code execution during restoration, typically as the asterisk or www-data web server account. The NVD metadata maps the issue to CWE-502 and rates it CVSS 8.6 HIGH with network access, low complexity, low privileges, and no user interaction.
Defensive priority
High. This is an authenticated RCE condition in a widely used PBX component, and exploitation happens through a normal restore workflow rather than requiring shell or filesystem access. If your environment uses FreePBX backup restores, treating this as a near-term patch item is appropriate.
Recommended defensive actions
- Upgrade FreePBX to a fixed version: 16.0.71 or 17.0.6.
- Restrict backup restore permissions to trusted administrators only, and review who can upload or import backup archives.
- Treat all backup archives as untrusted input unless they are generated and controlled within your own environment.
- Audit recent restore activity and review whether any backups from external, partner, or otherwise untrusted sources were imported.
- Apply least privilege to the FreePBX web server account and surrounding backup workflows where feasible.
- If immediate upgrading is not possible, reduce exposure by tightly limiting restore functionality until remediation is complete.
Evidence notes
Source corpus states that versions below 16.0.71 and 17.0.6 are affected and that the fix is present in those releases. The supplied description says a malicious file in a tar archive can be read and passed directly to unserialize() during restore, enabling RCE as the web server user. NVD metadata in the source item records CVSS 4.0 vector details consistent with network access, low complexity, low privileges, no user interaction, and high confidentiality/integrity impact, and lists CWE-502. The provided source item also marks the NVD vulnerability status as Deferred. Vendor metadata in the prompt is marked unknown, but the description and references clearly identify FreePBX backup as the affected component.
Official resources
Publicly disclosed on 2026-05-18 and modified on 2026-05-19 per the supplied CVE timeline. NVD source metadata shows the record as Deferred.