PatchSiren cyber security CVE debrief
CVE-2026-44237 FreePBX CVE debrief
FreePBX is an open source IP PBX platform widely deployed in enterprise telephony environments. CVE-2026-44237 identifies a critical authentication bypass in the api module's OAuth2 implementation prior to version 17.0.8. The vulnerability resides in the `validateClient()` method within `ClientRepository.php`, which unconditionally returns `true` regardless of whether the provided `client_secret` is correct. This flaw allows any attacker with knowledge of a valid `client_id` to obtain OAuth2 access tokens without proper credential verification, effectively bypassing the client authentication mechanism entirely. The attack requires network access to the FreePBX API endpoint and knowledge of a valid `client_id`, but does not require user interaction or elevated privileges. Successful exploitation grants the attacker authenticated API access with the permissions associated with the compromised OAuth2 client, potentially enabling unauthorized configuration changes, call monitoring, or further lateral movement within the telephony infrastructure. The vulnerability was disclosed on 2026-05-29 and is fixed in FreePBX version 17.0.8. Organizations should prioritize patching, audit existing OAuth2 client configurations for unauthorized tokens, and consider rotating all OAuth2 credentials as a precautionary measure.
- Vendor
- FreePBX
- Product
- security-reporting
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations operating FreePBX IP PBX systems, particularly those exposing API endpoints for third-party integrations, remote administration, or custom applications. Telephony administrators, security operations teams, and compliance officers responsible for communications infrastructure security should prioritize assessment and remediation.
Technical summary
The FreePBX api module's OAuth2 implementation prior to 17.0.8 contains a critical authentication bypass in `ClientRepository.php`. The `validateClient()` method returns `true` unconditionally, allowing token issuance with only a valid `client_id` and no `client_secret` verification. This enables unauthorized OAuth2 access token acquisition and API access.
Defensive priority
critical
Recommended defensive actions
- Upgrade FreePBX api module to version 17.0.8 or later immediately
- Audit OAuth2 access token logs for unauthorized token issuance using known client_id values
- Rotate all OAuth2 client secrets and invalidate existing access tokens as a precautionary measure
- Review API access logs for anomalous authentication patterns from unexpected source IPs
- Verify that OAuth2 client configurations enforce proper credential validation in non-standard deployments
- Implement network segmentation to restrict FreePBX API endpoint access to authorized administrative hosts only
- Enable comprehensive logging for OAuth2 token requests to facilitate detection of credential abuse attempts
Evidence notes
Vulnerability confirmed through GitHub Security Advisory GHSA-vgjf-4h63-8vcc. CVSS 4.0 vector indicates network attack vector with low attack complexity and required privileges, resulting in high confidentiality and integrity impact. CWE-1390 (Weak Authentication) classification aligns with unconditional true return in credential validation function.
Official resources
-
CVE-2026-44237 CVE record
CVE.org
-
CVE-2026-44237 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29