PT-2026-41736 · Freepbx · Freepbx
Published
2026-05-18
·
Updated
2026-05-19
·
CVE-2026-26978
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
FreePBX versions prior to 16.0.71
FreePBX versions prior to 17.0.6
Description
The backup module fails to properly sanitize data during restore operations. When extracting files from a user-supplied tar archive, the system reads malicious files and passes them directly to the
unserialize() function without validation, class restrictions, or integrity checks. This can lead to Remote Code Execution (RCE) under the privileges of the web server user, such as asterisk or www-data. Exploitation requires authentication with a username possessing sufficient permissions and write access to backup files. The attack does not require shell access, CLI access, or filesystem write permissions outside the standard restore process.Recommendations
Update to version 16.0.71 or later.
Update to version 17.0.6 or later.
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Freepbx