PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49843 signalwire CVE debrief

CVE-2026-49843 is a MEDIUM severity vulnerability in FreeSWITCH's mod_verto JSON-RPC handler. An unauthenticated attacker could evict a legitimate client by hijacking a target session UUID, allowing them to disrupt communication. This issue was patched in version 1.11.1.

Vendor
signalwire
Product
freeswitch
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-10
Advisory published
2026-06-09
Advisory updated
2026-06-10

Who should care

Users of FreeSWITCH software-defined telecom stacks, particularly those using mod_verto, should be aware of this vulnerability. An unauthenticated network attacker with knowledge of a target session UUID could exploit this issue to evict the legitimate client, disrupting communication.

Technical summary

In FreeSWITCH before version 1.11.1, the mod_verto JSON-RPC handler binds a connection to a client-supplied sessid on the first frame, before authentication. This binding inserts the connection into the global session hash. If a key collision occurs, the prior occupant is dropped, receiving a verto.punt, detaching its calls, and closing its socket. An attacker knowing a target session UUID could exploit this to evict the legitimate client.

Defensive priority

MEDIUM

Recommended defensive actions

  • Upgrade to FreeSWITCH version 1.11.1 or later to patch this vulnerability.
  • Review and restrict access to session UUIDs to prevent unauthorized eviction.

Evidence notes

This CVE was published on 2026-06-09T17:17:48.170Z and modified on 2026-06-10T15:07:18.270Z. The CVSS score is 5.3, with a severity of MEDIUM. The vulnerability is tracked under CWE-287.

Official resources

CVE-2026-49843 was published on 2026-06-09T17:17:48.170Z and modified on 2026-06-10T15:07:18.270Z.