PT-2026-60548 · Mwtcmi · Frogman

CVE-2026-46515

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v4.0

9.3

Critical

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERM READ access was sufficient to call fm list managers, fm list pinsets, fm show context, fm get mcp config, fm backup status, fm whos calling, fm run saved query, and fm diagnose trunk, exposing AMI manager secrets, outbound dial PINs, full Asterisk dialplan context, root SSH connection commands, backup artifact paths, CDR history, arbitrary saved GraphQL query execution, and raw AMI endpoint dumps containing SIP fields such as password, md5 cred, and oauth secret. This issue is fixed in version 1.6.3.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-46515

Affected Products

Frogman