CVE-2026-44237
8.1 HIGHFreePBX is an open source IP PBX
Published: 2026-05-29 · Last updated: 2026-06-01
Severity and scoring
- CVSS
- 8.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-1390
Affected products
| Vendor | Product |
|---|---|
| sangoma | freepbx |
Description
FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client_id to obtain OAuth2 access tokens without providing the correct client_secret. This vulnerability is fixed in 17.0.8.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-46376 — FreePBX is an open source IP PBX (9.8 CRITICAL)
- CVE-2026-44239 — FreePBX is an open source IP PBX (8.8 HIGH)
- CVE-2026-44238 — FreePBX is an open source IP PBX (8.8 HIGH)
Same CWE
- CVE-2026-0274 — An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an un...
- CVE-2026-6274 — Improper Authentication, Missing authentication for critical function, Weak Authentication vulnerability in DTS Electronics Industry and ... (9.8 CRITICAL)
- CVE-2026-49323 — Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber +... (4.3 MEDIUM)
- CVE-2026-49322 — Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-... (4.3 MEDIUM)
- CVE-2026-40417 — Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally (7.8 HIGH)