CVE-2026-46376 FreePBX CVE debrief

Who should care

FreePBX administrators, VoIP security teams, telecommunications infrastructure operators, and organizations relying on FreePBX for business communications. Particular attention needed for deployments where UCP was recently enabled or where administrative turnover may have resulted in incomplete security hardening procedures.

Technical summary

The vulnerability stems from hard-coded initial credentials in UCP generic templates that persist after administrative setup. When an administrator enables UCP and creates generic templates through the ACP, the system generates templates with default credentials. If the administrator does not immediately change these credentials, unauthenticated network attackers can leverage them to access the User Control Panel. The attack requires no user interaction and can be executed remotely with low complexity. The confidentiality and integrity impact are rated HIGH, though availability impact is NONE. The CVSS 4.0 score of 9.3 reflects the severe risk of unauthorized access to user-facing PBX controls.

Defensive priority

critical

Recommended defensive actions

• Upgrade FreePBX to version 16.0.45 or 17.0.7 or later to remediate this vulnerability
• Verify that all UCP generic template credentials have been changed from default values if UCP was enabled prior to patching
• Audit UCP access logs for unauthorized access attempts, particularly from unexpected source IP addresses
• Review administrative procedures to ensure credential changes are mandatory during UCP template initialization
• Consider implementing additional network-level access controls for UCP endpoints until patching is complete

Evidence notes

CVE published 2026-05-29T14:16:31.677Z; modified 2026-05-29T15:06:44.207Z. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N. CWE-798 (Use of Hard-coded Credentials). Fixed in 16.0.45 and 17.0.7.

Official resources