CVE-2026-44237
Last modified
CVE-2026-44237 is a high-severity vulnerability rated 7.6/10 on the CVSS scale. FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. EPSS estimates a 0.20% chance of exploitation in the next 30 days.
Description
FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client_id to obtain OAuth2 access tokens without providing the correct client_secret. This vulnerability is fixed in 17.0.8.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Sangoma | Freepbx | < 17.0.8 |
References
- https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vgjf-4h63-8vccMitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-44237?
How severe is CVE-2026-44237?
How do I fix CVE-2026-44237?
Are you affected by CVE-2026-44237?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST