Approved changes feed: RSS · Atom
cpe:2.3:a:freepbx:api:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Freepbx (d2522fe8-489d-5eaf-bf22-7a0d08f83c2b) |
|---|---|
| Product | Api (1461763a-4a34-5889-8698-4fc621bbaeff) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/freepbx/api |
purl2cpe | 2026-06-01 10:13:12.006420 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-40520 |
vulnerable | 2026-06-03 15:23:34.836369 |
FreePBX api module Command Injection via GraphQL
HIGH (7.2)
FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL moduleOperations mutation with backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.
Published: 2026-04-21T12:41:05.281Z
Updated: 2026-04-21T13:32:06.116Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-55739 |
vulnerable | 2026-06-03 15:04:59.101904 |
api: Shared OAuth Signing Key Between Different Instances
api is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions lower than 15.0.13, 16.0.2 through 16.0.14, 17.0.1 and 17.0.2, there is an identical OAuth private key used across multiple systems that installed the same FreePBX RPM or DEB package. An attacker with access to the shared OAuth private key could forge JWT tokens, bypass authentication, and potentially gain full access to both REST and GraphQL APIs. Systems with the "api" module enabled, configured and previously activated by an administrator for remote inbound connections may be affected. This issue is fixed in versions 15.0.13, 16.0.15 and 17.0.3.
Published: 2025-09-04T23:22:43.649Z
Updated: 2026-02-13T21:55:35.323Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-55210 |
vulnerable | 2026-06-03 15:04:57.987831 |
FreePBX API has a Privilege Escalation Error in GraphQL Allowing Authenticated Users to Access Additional Scopes
FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api (PBX API) is vulnerable to privilege escalation by authenticated users with REST/GraphQL API access. This vulnerability allows an attacker to forge a valid JWT with full access to the REST and GraphQL APIs on a FreePBX that they've already connected to, possibly as a lower privileged user. The JWT is signed using the api-oauth.key private key. An attacker can generate their own token if they possess this key (e.g., by accessing an affected instance), and specify any scopes they wish (e.g., rest, gql), bypassing traditional authorization checks. However, FreePBX enforces that the jti (JWT ID) claim must exist in the database (api_access_tokens table in the asterisk MySQL database) in order for the token to be accepted. Therefore, the attacker must know a jti value that already exists on the target instance. This vulnerability is fixed in 17.0.5 and 16.0.17.
Published: 2026-02-12T16:22:42.967Z
Updated: 2026-02-26T14:44:21.186Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.