PatchSiren

FreePBX CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL FreePBX CVE published 2026-05-29

CVE-2026-46376

A critical authentication bypass vulnerability in FreePBX allows unauthenticated access to the User Control Panel (UCP) when administrators fail to change hard-coded initial template credentials after enabling UCP. The vulnerability exists in versions 15.0.42 through 16.0.44 and 17.0.0 through 17.0.6. While authenticated access to the Admin Control Panel (ACP) is required for the initial UCP generic templ [truncated]

HIGH FreePBX CVE published 2026-05-29

CVE-2026-44239

A path traversal vulnerability in FreePBX Dashboard module's getcontent AJAX handler allows authenticated attackers to execute arbitrary PHP code. The vulnerability exists because the `$_REQUEST['rawname']` parameter is unsafely concatenated into an `include()` call with a `.class.php` suffix, permitting directory traversal via `../` sequences. Successful exploitation requires the attacker to identify or [truncated]

HIGH FreePBX CVE published 2026-05-29

CVE-2026-44238

A SQL injection vulnerability exists in FreePBX's CDR Reports module, allowing authenticated users with CDR section access to manipulate database queries through the `order` and `sort` POST parameters. The vulnerability does not require full administrative privileges, lowering the barrier for exploitation. This flaw could enable data exfiltration, unauthorized data modification, or other database-level at [truncated]

HIGH FreePBX CVE published 2026-05-29

CVE-2026-44237

FreePBX is an open source IP PBX platform widely deployed in enterprise telephony environments. CVE-2026-44237 identifies a critical authentication bypass in the api module's OAuth2 implementation prior to version 17.0.8. The vulnerability resides in the `validateClient()` method within `ClientRepository.php`, which unconditionally returns `true` regardless of whether the provided `client_secret` is corre [truncated]

HIGH FreePBX CVE published 2026-05-18

CVE-2026-26978

CVE-2026-26978 affects FreePBX backup restore handling. In affected versions, a crafted tar archive can cause data to be passed into PHP unserialize() without validation, class restrictions, or integrity checks during restore. That can lead to remote code execution as the web server user when an authenticated user with sufficient backup/restore access processes a malicious backup. The issue was published [truncated]