Description
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
Published: 2026-02-06
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Local File Disclosure via XXE
Action: Patch
AI Analysis

Impact

The vulnerability resides in the ast_xml_open function within Asterisk's xml.c module, which employs libxml's XML_PARSE_NOENT option and processes XIncludes without restrictions. If an attacker supplies untrusted XML content, the parser expands entities and processes XInclude directives, enabling the retrieval of arbitrary local files from the host system. This results in sensitive file disclosure and potentially broader information compromise, consistent with CWE-611.

Affected Systems

Asterisk PBX products identified by Sangoma's certified Asterisk releases, including versions prior to 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, are affected. The official CNA product name is asterisk:asterisk and all CPE entries corresponding to these products are vulnerable.

Risk and Exploitability

The CVSS base score of 2.0 indicates a low severity impact, and the EPSS score of less than 1% implies a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attack vector is user-supplied XML processed by Asterisk; it requires the attacker to supply malicious XML data, which is typically possible through configuration files or inbound XML messages, but no widespread public exploits have been reported.

Generated by OpenCVE AI on April 17, 2026 at 22:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Asterisk to at least 20.7‑cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2, where the XML parsing has been fixed.
  • Restrict the XML files that Asterisk can parse to trusted locations and deny unauthorized file system access to the Asterisk process.
  • If an upgrade is not immediately possible, isolate the XML processing component or block external XML input from untrusted sources, and consider disabling entity expansion and XInclude processing in libxml if configuration options are available.

Generated by OpenCVE AI on April 17, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4515-1 asterisk security update
History

Wed, 18 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Sangoma
Sangoma asterisk
Sangoma certified Asterisk
CPEs cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert5:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert6:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert7:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert8:*:*:*:*:*:*
Vendors & Products Sangoma
Sangoma asterisk
Sangoma certified Asterisk

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Asterisk
Asterisk asterisk
Vendors & Products Asterisk
Asterisk asterisk

Fri, 06 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
Title Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
Weaknesses CWE-611
References
Metrics cvssV3_1

{'score': 2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Asterisk Asterisk
Sangoma Asterisk Certified Asterisk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T17:37:22.223Z

Reserved: 2026-01-15T15:45:01.957Z

Link: CVE-2026-23739

cve-icon Vulnrichment

Updated: 2026-02-06T17:37:07.099Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T17:16:26.147

Modified: 2026-02-18T18:42:37.300

Link: CVE-2026-23739

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-06T16:42:25Z

Links: CVE-2026-23739 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses