PT-2026-44842 · Sangoma+1 · Freepbx+1
Mil1200
·
Published
2026-05-29
·
Updated
2026-05-29
·
CVE-2026-44237
CVSS v4.0
7.6
High
| Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client id to obtain OAuth2 access tokens without providing the correct client secret. This vulnerability is fixed in 17.0.8.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Freepbx
Security-Reporting