PT-2026-60548 · Mwtcmi · Frogman
CVE-2026-46515
·
Published
2026-07-16
·
Updated
2026-07-16
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERM READ access was sufficient to call fm list managers, fm list pinsets, fm show context, fm get mcp config, fm backup status, fm whos calling, fm run saved query, and fm diagnose trunk, exposing AMI manager secrets, outbound dial PINs, full Asterisk dialplan context, root SSH connection commands, backup artifact paths, CDR history, arbitrary saved GraphQL query execution, and raw AMI endpoint dumps containing SIP fields such as password, md5 cred, and oauth secret. This issue is fixed in version 1.6.3.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Frogman