api is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions lower than 15.0.13, 16.0.2 through 16.0.14, 17.0.1 and 17.0.2, there is an identical OAuth private key used across multiple systems that installed the same FreePBX RPM or DEB package. An attacker with access to the shared OAuth private key could forge JWT tokens, bypass authentication, and potentially gain full access to both REST and GraphQL APIs. Systems with the "api" module enabled, configured and previously activated by an administrator for remote inbound connections may be affected. This issue is fixed in versions 15.0.13, 16.0.15 and 17.0.3.
Metrics
Affected Vendors & Products
References
History
Fri, 05 Sep 2025 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Fri, 05 Sep 2025 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Freepbx
Freepbx freepbx |
|
Vendors & Products |
Freepbx
Freepbx freepbx |
Thu, 04 Sep 2025 23:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | api is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions lower than 15.0.13, 16.0.2 through 16.0.14, 17.0.1 and 17.0.2, there is an identical OAuth private key used across multiple systems that installed the same FreePBX RPM or DEB package. An attacker with access to the shared OAuth private key could forge JWT tokens, bypass authentication, and potentially gain full access to both REST and GraphQL APIs. Systems with the "api" module enabled, configured and previously activated by an administrator for remote inbound connections may be affected. This issue is fixed in versions 15.0.13, 16.0.15 and 17.0.3. | |
Title | api: Shared OAuth Signing Key Between Different Instances | |
Weaknesses | CWE-522 CWE-798 |
|
References |
| |
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2025-09-05T15:19:50.135Z
Reserved: 2025-08-14T22:31:17.683Z
Link: CVE-2025-55739

Updated: 2025-09-05T15:19:35.886Z

Status : Awaiting Analysis
Published: 2025-09-05T00:15:31.860
Modified: 2025-09-05T17:47:10.303
Link: CVE-2025-55739

No data.

Updated: 2025-09-05T14:01:49Z