CVE-2026-49472: FreeSWITCH XML Parser Denial of Service (MEDIUM)
FreeSWITCH versions prior to 1.11.0 contain a flaw in their embedded XML parsing library that can cause the application to stop responding to requests. The vulnerability stems from code that was copied from an older, unpatched version of libexpat and never received the security fix that libexpat itself received. An authenticated user with local or network access could trigger this denial-of-service condition, though the attack requires specific conditions to succeed.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-116
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49472 affects the PREFIX(prologTok)() function located in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c within FreeSWITCH. This function was derived from a vulnerable version of libexpat and failed to incorporate the corresponding security patch applied to the upstream library. The flaw results in improper input handling (CWE-116) during XML token processing. Exploitation requires authentication and careful manipulation of XML parsing conditions, as indicated by the High complexity factor in the CVSS vector, but successful exploitation leads to availability loss through denial of service.
Business impact
Denial of service against FreeSWITCH deployments disrupts voice and data communications handled by the platform. Organizations running FreeSWITCH as a core telephony or communication infrastructure component face service interruption risk. Since exploitation requires authentication, the threat is primarily from internal users or compromised accounts rather than anonymous external attackers. However, in multi-tenant or cloud-hosted scenarios, a single authenticated user could impact shared services.
Affected systems
FreeSWITCH versions before 1.11.0 are affected. The vulnerability exists in the bundled xmlrpc-c library's Expat XML parser component. Any deployment using FreeSWITCH for call routing, conferencing, IVR, or other telephony functions prior to version 1.11.0 should be considered in scope. The flaw is specific to the bundled code path and may not affect alternative XML parsing implementations if separately integrated.
Exploitability
While the vulnerability is network-accessible and requires only low-privilege authentication, successful exploitation is not trivial. The CVSS vector indicates high attack complexity (AC:H), meaning an attacker must craft specific XML input conditions to trigger the flaw. This is not a one-click exploit scenario. The requirement for authenticated access significantly limits the threat surface compared to unauthenticated remote code execution flaws. Current evidence suggests this vulnerability is not yet actively exploited in the wild, as it does not appear on CISA's Known Exploited Vulnerabilities list.
Remediation
Upgrade FreeSWITCH to version 1.11.0 or later, which incorporates the necessary security patch to the prologTok() function. Organizations unable to upgrade immediately should implement network-level access controls to restrict authenticated user sessions and monitor XML-based API requests for anomalous patterns. Consider disabling unused XML-RPC functionality if not required for operations.
Patch guidance
Apply FreeSWITCH version 1.11.0 or newer. Verify the patch application by confirming the version string in the FreeSWITCH console or via administrative API. Test the upgrade in a non-production environment first to ensure compatibility with existing dialplans, modules, and integrations. The patch was made available as of the vulnerability disclosure date (2026-06-09); check your vendor repositories and deployment channels for availability.
Detection guidance
Monitor FreeSWITCH logs for XML parsing errors or unexpected termination of the core process, particularly following unusual API calls or configuration reloads. Network-based detection should focus on authenticated session anomalies and high-frequency or malformed XML-RPC requests. Vulnerability scanners can identify FreeSWITCH version numbers; cross-reference against the 1.11.0 cutoff. Host-based monitoring should alert on FreeSWITCH process crashes or restarts without corresponding administrative actions.
Why prioritize this
Although the CVSS score is moderate (5.3), the high complexity requirement and need for authentication significantly reduce practical risk in most environments. Prioritize this as a standard security update rather than an emergency. However, organizations in security-sensitive sectors (healthcare call centers, emergency services) should treat this with higher urgency given the availability impact. Environments with hostile internal users or those exposed to compromised accounts warrant faster remediation.
Risk score, explained
The CVSS 3.1 score of 5.3 (MEDIUM) reflects a network-accessible flaw with authentication requirements and high attack complexity, resulting only in availability impact. The score appropriately penalizes the lack of confidentiality and integrity compromise. However, context matters: the real-world risk depends on your deployment model, the privilege level of typical authenticated users, and the criticality of FreeSWITCH availability in your infrastructure. A telecom carrier running FreeSWITCH as core infrastructure faces higher operational risk than an organization using it for peripheral functions.
Frequently asked questions
Do I need to patch immediately if I run FreeSWITCH?
If you are running FreeSWITCH prior to version 1.11.0, plan to upgrade within your normal patch cycle. This is not an emergency patch due to the authentication requirement and high attack complexity, but it should not be indefinitely deferred. If your environment has strict access controls limiting who can authenticate to FreeSWITCH APIs, risk is further reduced.
Can this vulnerability be exploited remotely without authentication?
No. The CVSS vector specifies PR:L (Privilege Level: Low), meaning authenticated access is required. An attacker cannot exploit this flaw from the internet against a closed FreeSWITCH instance without first obtaining valid credentials or compromising an authorized account.
What is the difference between this vulnerability and the original libexpat issue?
The original libexpat vulnerability was patched in the upstream library. FreeSWITCH bundled an older, pre-patch version of the Expat XML parser within its xmlrpc-c library and did not apply the corresponding fix to its copy. Version 1.11.0 remedies this by integrating the necessary patch into FreeSWITCH's bundled code.
How does this affect FreeSWITCH in a cloud or SaaS environment?
In multi-tenant or shared FreeSWITCH deployments, a single authenticated user (even with low privileges) could trigger a denial of service that affects other tenants' service. Cloud providers and SaaS operators should prioritize upgrading to 1.11.0 and consider isolating tenant XML-RPC processing to limit blast radius.
This analysis is based on the published CVE record and vendor advisories current as of the disclosure date. Security context evolves; verify current patch availability and applicability with FreeSWITCH maintainers and your vendor support channels. CVSS scores provide one dimension of risk; organizational context, deployment architecture, and threat landscape should inform prioritization decisions. No exploit code or weaponized proof-of-concept is provided. Always test patches in non-production environments before production deployment. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-48209HIGHReflected XSS in OTRS Ticket Handling – HIGH Severity Vulnerability
- CVE-2026-8795HIGHRapid7 Velociraptor YAML Injection in Remapping Artifact (v0.76.6)
- CVE-2026-49843MEDIUMFreeSWITCH mod_verto Pre-Auth Session Hijacking Vulnerability
- CVE-2026-49848MEDIUMFreeSWITCH mod_verto Session State Injection Vulnerability
- CVE-2026-45771HIGHFreeSWITCH XML Billion Laughs DoS – Unauthenticated Remote Denial of Service
- CVE-2026-49475HIGHFreeSWITCH STUN Parser Out-of-Bounds Memory Access (Denial of Service)
- CVE-2026-49842HIGHFreeSWITCH Unauthenticated Bandwidth Amplification Vulnerability
- CVE-2026-49847HIGHFreeSWITCH WebSocket JSON Denial-of-Service (Stack Overflow)