HIGH 8.1

CVE-2026-44237: FreePBX OAuth2 Client Credential Bypass Vulnerability

FreePBX versions before 17.0.8 contain a flaw in their OAuth2 implementation that allows an attacker to bypass credential verification. If an attacker discovers or guesses a valid client application ID, they can request OAuth2 access tokens without needing the corresponding secret passphrase. This grants them the ability to authenticate and interact with the FreePBX API as if they were a legitimate application, potentially enabling unauthorized access to voice, data, and configuration controls.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weaknesses (CWE)
CWE-1390
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client_id to obtain OAuth2 access tokens without providing the correct client_secret. This vulnerability is fixed in 17.0.8.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the validateClient() method within ClientRepository.php of the FreePBX api module. The method fails to perform server-side validation of the client_secret parameter during OAuth2 token issuance, instead returning true regardless of credentials supplied. An attacker possessing knowledge of a valid client_id can craft token requests that bypass authentication checks, obtaining valid OAuth2 bearer tokens without cryptographic proof of the client_secret. This represents a broken authentication control at the token issuance layer, violating OAuth2 specification requirements for client confidentiality.

Business impact

Compromise of OAuth2 token issuance undermines the security boundary between external API consumers and the FreePBX system. Threat actors obtaining valid tokens can perform API operations at the privilege level of the compromised application context, potentially including retrieval of call records, user directories, configuration changes, and call routing manipulation. For hosted or multi-tenant deployments, this escalates the risk of lateral movement and data exfiltration. Organizations depending on API-driven automation or third-party integrations face heightened exposure if those client_ids become known to adversaries.

Affected systems

FreePBX versions prior to 17.0.8 are affected. The vulnerability requires the presence of the api module and applicable only to deployments where OAuth2 is enabled or configured. Both open-source FreePBX instances and systems running under Sangoma's supported FreePBX offerings are in scope. Self-hosted and cloud-based deployments using affected versions face the same risk.

Exploitability

Exploitation requires network access to the FreePBX API endpoint and knowledge of a valid client_id. No user interaction is required, and attack complexity is low—an attacker can attempt token requests programmatically. The CVSS scoring (8.1 HIGH, AV:N/AC:L/PR:L) indicates network-based exploitability with low complexity; the PR:L (Privileges Required: Low) component reflects that possession of a valid client_id—itself a form of partial knowledge—is the primary barrier. Client IDs may be discoverable through misconfiguration, documentation, integration details, or prior reconnaissance.

Remediation

Upgrade FreePBX to version 17.0.8 or later, which corrects the validateClient() logic to properly verify client_secret credentials. Apply the patch through your package manager or FreePBX administration interface. Organizations unable to patch immediately should restrict API endpoint access via network controls (IP allowlisting, VPN requirements) and audit OAuth2 token issuance logs for anomalous patterns.

Patch guidance

FreePBX 17.0.8 contains the corrected implementation. Administrators should verify the running version via the FreePBX web console (Settings > System Settings > System Version) and apply updates through the standard FreePBX module update process. After patching, test OAuth2 token requests to confirm that invalid client_secret values are now rejected. No configuration changes are necessary post-patch; existing tokens remain valid until their natural expiration.

Detection guidance

Monitor FreePBX API logs and OAuth2 token issuance records for token requests using unexpected or dormant client_ids. Examine authentication failure logs for repeated failed secret validation attempts, which may indicate scanning or brute-force activity. Network-based detection should flag suspicious API calls authenticated with tokens issued shortly after suspicious token requests. Review integration documentation and client_id assignments to establish a baseline of legitimate API consumers and flag anomalies.

Why prioritize this

The vulnerability enables unauthenticated access to a critical administrative interface (the FreePBX API) with minimal preconditions. The HIGH severity reflects both the scope (confidentiality and integrity impact on API operations) and the practical exploitability (no user interaction, low complexity, network-accessible). Organizations operating FreePBX as a core voice or communications platform should treat this as a near-term remediation priority, particularly if the system is exposed to untrusted networks or if multiple external integrations consume the API.

Risk score, explained

CVSS 3.1 score of 8.1 (HIGH) reflects: network-based attack vector, low attack complexity, requirement for knowledge of a valid client_id (PR:L), no user interaction, unchanged scope, and high impact to confidentiality and integrity of API operations. The score does not assume compromise of the client_secret itself, only its bypass; systems with strong client_id confidentiality practices face lower practical risk than those with widely-known or poorly-managed credentials.

Frequently asked questions

Does an attacker need to know the client_secret to exploit this vulnerability?

No. The flaw allows token issuance without validating the client_secret at all. An attacker needs only a valid client_id, which may be harder to keep secret than a randomly-generated secret passphrase, especially in multi-integration environments or if client_ids are embedded in configuration files or documentation.

Are there any mitigations short of patching to version 17.0.8?

Yes. Network-level mitigations include restricting API endpoint access to known, trusted IP addresses or requiring VPN authentication before API requests are processed. Additionally, review and disable any unnecessary API integrations or OAuth2 clients. However, these are temporary measures and patching remains essential.

Will existing OAuth2 tokens stop working after we apply the patch?

No. Patching corrects the validation of future token requests; existing tokens issued before the patch remain valid until they expire naturally according to their configured lifetime. New token requests will correctly enforce client_secret validation.

How can we tell if this vulnerability has been exploited in our environment?

Review API access logs and OAuth2 token issuance records for activity from unexpected client_ids or from client_ids that should be inactive. Cross-reference token issuance timestamps with your integration and maintenance windows. Look for API operations (configuration changes, data exports, call logs) performed by tokens that do not correlate with legitimate integrations.

This analysis is provided for informational and risk management purposes. Verify all patch versions, affected configurations, and remediation steps against official FreePBX and Sangoma advisories before applying changes in production. Organizations should conduct independent testing and threat modeling specific to their FreePBX deployment topology. No exploit code or weaponized proof-of-concept has been included; this document is not a how-to for malicious use. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).