CVE-2026-40520

Name of the Vulnerable Software and Affected Versions FreePBX api module versions prior to 17.0.9

Description An issue exists in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell exec() without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL moduleOperations mutation containing backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.

Recommendations Update to a version newer than 17.0.8. As a temporary workaround, restrict access to the initiateGqlAPIProcess() function or the GraphQL moduleOperations mutation.