PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44238 FreePBX CVE debrief

A SQL injection vulnerability exists in FreePBX's CDR Reports module, allowing authenticated users with CDR section access to manipulate database queries through the `order` and `sort` POST parameters. The vulnerability does not require full administrative privileges, lowering the barrier for exploitation. This flaw could enable data exfiltration, unauthorized data modification, or other database-level attacks. The issue has been resolved in FreePBX versions 16.0.50 and 17.0.11.

Vendor
FreePBX
Product
security-reporting
CVSS
HIGH 8.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations running FreePBX with CDR Reports module enabled, particularly those with multiple administrative users who have CDR section access. Security teams responsible for VoIP infrastructure and database integrity should prioritize patching.

Technical summary

The CDR Reports module in FreePBX versions prior to 16.0.50 and 17.0.11 fails to properly sanitize user-supplied input in the `order` and `sort` POST parameters, resulting in a SQL injection vulnerability (CWE-89). Exploitation requires authentication with a FreePBX Administration Control Panel account that has CDR section access; full administrator privileges are not required. The vulnerability allows attackers to inject arbitrary SQL commands, potentially leading to unauthorized data access or modification. The CVSS 4.0 score of 8.5 reflects high confidentiality and integrity impacts with a network attack vector and low attack complexity.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade FreePBX to version 16.0.50 or 17.0.11 immediately to remediate the SQL injection vulnerability in the CDR Reports module.
  • Verify that only necessary administrative accounts have CDR section access, as this vulnerability requires authenticated access to exploit.
  • Review database access logs for anomalous query patterns that may indicate attempted or successful exploitation of the `order` and `sort` parameters.
  • Implement input validation and parameterized queries for all user-supplied data in web application modules, particularly those handling database operations.
  • Monitor for unauthorized data access or modification in CDR-related database tables if exploitation is suspected prior to patching.

Evidence notes

Vulnerability confirmed via GitHub Security Advisory GHSA-p9fq-fmpw-2h9x. CVSS 4.0 vector indicates network attack vector with low attack complexity, high confidentiality and integrity impact, and high privileges required (PR:H). CWE-89 (SQL Injection) classified as primary weakness.

Official resources

2026-05-29