PatchSiren cyber security CVE debrief
CVE-2026-46513 mwtcmi CVE debrief
Frogman, a headless PBX control system, stored API tokens generated by Tools/CreateApiToken.php as raw bin2hex(random_bytes(32)) strings in oc_api_tokens. The Frogman.class.php file authenticated the X-Frogman-Token header by comparing it with the stored raw value. This insecure practice allowed database read access to recover reusable active tokens at their assigned permission level, including admin. The vulnerability has been fixed in version 1.6.2. Affected product deployments should be identified, and owners should be assigned for follow-up.
- Vendor
- mwtcmi
- Product
- frogman
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of Frogman versions prior to 1.6.2 should be aware of this vulnerability and take immediate action to update to the latest version. This includes administrators, security teams, and operators who manage or use the affected product. They should review the official advisory and plan for vendor-supported updates or mitigations through normal change control.
Technical summary
The Frogman system stored API tokens insecurely, allowing for potential database read access to recover active tokens. The vulnerability was caused by the insecure storage of API tokens generated by Tools/CreateApiToken.php in oc_api_tokens. The Frogman.class.php file compared the X-Frogman-Token header with the stored raw value, enabling the recovery of reusable active tokens. The issue has been addressed in version 1.6.2, which should be applied to affected systems.
Defensive priority
High
Recommended defensive actions
- Update Frogman to version 1.6.2 or later
- Rotate and revoke existing API tokens
- Restrict database access to oc_api_tokens
- Monitor for suspicious activity related to API token usage
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-16T19:16:46.640Z and has not been modified since then. The NVD entry is currently 7.4 HIGH. There is no additional information available about the vulnerability beyond what is provided in the CVE record and NVD entry. Users should verify the affected product deployments and review the official advisory for further details.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T19:16:46.640Z and has not been modified since then.