CVE-2026-44238: FreePBX SQL Injection in CDR Reports Module (CVSS 8.8)
FreePBX versions before 16.0.50 and 17.0.11 contain a SQL injection vulnerability in the CDR (Call Detail Records) Reports module. An authenticated user with CDR section access can manipulate the 'order' and 'sort' parameters to inject arbitrary SQL commands, potentially reading, modifying, or deleting sensitive database content. Unlike many vulnerabilities requiring administrative accounts, this one only needs standard CDR access, broadening the pool of potential attackers within an organization.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-89
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The CDR Reports module in affected FreePBX versions fails to properly sanitize the 'order' and 'sort' POST parameters before incorporating them into SQL queries. This classic SQL injection flaw (CWE-89) allows an authenticated attacker to break out of the intended query context and execute arbitrary SQL. The vulnerability requires valid FreePBX Administration Control Panel credentials with at least CDR section permissions, but not full administrative privileges. Successful exploitation enables database enumeration, credential theft, or data manipulation depending on database user permissions and backup controls.
Business impact
A compromised or malicious CDR-level user account can access call records of other users or organizations on the system, modify billing data, corrupt reporting infrastructure, or pivot to extract credentials for further system compromise. For service providers or enterprises running FreePBX, this threatens call data integrity, regulatory compliance (HIPAA, PCI-DSS, GDPR depending on call content), and customer trust. The ability to alter CDR data without full admin privileges also complicates audit trails and forensic investigation.
Affected systems
FreePBX versions 16.0.x prior to 16.0.50 and version 17.0.x prior to 17.0.11 are affected. Verify your exact version via the FreePBX admin interface or command line. Installations with users holding CDR section access permissions face active risk regardless of deployment size.
Exploitability
The vulnerability requires authentication with a valid FreePBX account holding CDR section permissions. No special privileges, no user interaction, and no network-level bypass is needed—an attacker with those credentials can inject SQL via a simple HTTP POST request. The attack surface is straightforward for anyone with legitimate CDR access, making the practical exploitability high within organizations with multiple administrative or reporting staff.
Remediation
Update FreePBX to version 16.0.50 or later for the 16.0.x branch, or version 17.0.11 or later for the 17.0.x branch. Review the official Sangoma security advisory and patch notes to confirm no breaking changes before deploying to production. After patching, audit account permissions and revoke CDR access from users who no longer require it, following least-privilege principles.
Patch guidance
Consult the Sangoma FreePBX security advisory and release notes for version 16.0.50 and 17.0.11 to confirm availability, dependencies, and any pre-patch prerequisites. Test patches in a non-production environment first. Schedule patching during a maintenance window to minimize service disruption. If you operate an earlier branch (15.0.x or older), verify Sangoma's support policy and whether backports are available.
Detection guidance
Monitor CDR Reports module access logs and POST request parameters for unusual 'order' or 'sort' values containing SQL keywords (SELECT, UNION, OR, AND, etc.) or special characters (quotes, semicolons, dashes). Implement database query logging to capture suspicious SQL patterns. Review FreePBX authentication logs for CDR-level account activity, particularly failed or unusual queries. Correlate CDR data anomalies with access logs to identify unauthorized modifications.
Why prioritize this
This is a high-severity SQL injection vulnerability (CVSS 8.8) affecting data confidentiality, integrity, and availability in a communications platform. While it requires authentication, the low privilege threshold (CDR access vs. full admin) and ease of exploitation make it an attractive target for insider threats or compromised mid-level accounts. Organizations should prioritize patching based on the number of users with CDR access and the sensitivity of call data in their environment.
Risk score, explained
The CVSS 8.8 HIGH score reflects full confidentiality, integrity, and availability impact (C:H, I:H, A:H) achievable by an authenticated attacker over the network without user interaction. The only mitigating factor is the requirement for valid credentials with CDR section permissions (PR:L), which prevents unauthenticated exploitation but remains a realistic threat vector in multi-user deployments.
Frequently asked questions
Can an attacker exploit this without a FreePBX account?
No. Valid credentials and CDR section permissions are required. However, this is a lower privilege threshold than needing full administrator access, so any employee or contractor with CDR reporting duties presents potential risk.
Does this vulnerability allow direct database server access?
It allows SQL injection through the FreePBX application, which executes queries with the privileges of the database user configured for FreePBX. Depending on those permissions and network isolation, an attacker could potentially access or modify FreePBX data, but not necessarily the entire database server outside the scope of FreePBX's database user.
How do I know if my FreePBX is vulnerable?
Check your version via Administration > System Admin > System Information or the command 'amportal -v'. If you're running 16.0.x below 16.0.50 or 17.0.x below 17.0.11, you are affected. Apply the recommended patches immediately.
Will this vulnerability be exploited in the wild?
SQL injection is a well-understood attack class. Organizations operating FreePBX should assume motivated attackers will attempt exploitation once patches are publicly available. It is not currently listed on CISA's KEV catalog, but its high score and straightforward exploitation path make rapid patching prudent.
This analysis is based on the published CVE description and CVSS score. Organizations should verify patch availability and compatibility with their specific FreePBX version and deployment configuration against the official Sangoma security advisory before applying updates. Internal testing and change management procedures should be followed. This summary does not constitute professional security advice; consult your security team and Sangoma support for deployment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access