Description
FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX extracts selected files from a user-supplied tar archive. If a malicious file exists in the archive, it is read and passed directly to unserialize() without validation, class restrictions, or integrity checks. This issue allows Remote Code Execution during restoration of the backup as the web server user (typically asterisk or www-data). The attack does not require shell access, CLI access, or filesystem write permissions beyond the normal restore workflow. Authentication with a known username that has sufficient access permissions and/or write access to backup files is required. This issue has been fixed in versions 16.0.71 and 17.0.6.
Published: 2026-05-18
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In older releases of the FreePBX IP PBX backup module, the code that restores a backup does not validate or restrict the data from a tar archive before calling unserialize() on it. This uncontrolled deserialization of untrusted data allows an attacker to attack the system by embedding malicious payloads in a backup file and triggering the restore process. The vulnerability is identified as a Deserialization of Untrusted Data weakness and can result in arbitrary code execution running as the web server user, typically asterisk or www-data. Authentication with an account that has the ability to execute restore operations is required, but no additional shell or file write privileges beyond the normal restore workflow are needed. The issue is fixed in FreePBX versions 16.0.71 and 17.0.6.

Affected Systems

This flaw affects the FreePBX backup module in all versions prior to 16.0.71 and 17.0.6. The affected product is the FreePBX IP PBX, a vulnerability expose across the free and open source PBX suite. Organizations running these older releases are vulnerable when they restore backups from potentially untrusted tar archives.

Risk and Exploitability

The CVSS score for this vulnerability is 8.6, indicating high severity. Because the EPSS score is not available, the exact likelihood of exploitation cannot be quantified, and it is not listed in the CISA KEV catalog. Nevertheless, the attack vector is remote: an attacker who gains the ability to submit a backup archive to the restore endpoint can trigger execution of malicious code on the server without needing shell, CLI, or additional filesystem write permissions. Authentication with a user that has restore rights is needed; if such privileges are restricted, the impact scope is reduced. Given the high severity and the fact that the flaw exists in widely deployed open-source software, it should be treated as an urgent risk.

Generated by OpenCVE AI on May 18, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreePBX to version 16.0.71 or later, or 17.0.6 or later, to apply the vendor fix that sanitizes restore input.
  • Limit the restore function to trusted administrators; remove or lock down restore permissions for regular users.
  • Before restoring, verify that the backup tar archive originates from a trusted source and contains no unexpected files; avoid restoring backups from unverified origins until the upgrade is completed.

Generated by OpenCVE AI on May 18, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Freepbx
Freepbx security-reporting
Vendors & Products Freepbx
Freepbx security-reporting

Mon, 18 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 18 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX extracts selected files from a user-supplied tar archive. If a malicious file exists in the archive, it is read and passed directly to unserialize() without validation, class restrictions, or integrity checks. This issue allows Remote Code Execution during restoration of the backup as the web server user (typically asterisk or www-data). The attack does not require shell access, CLI access, or filesystem write permissions beyond the normal restore workflow. Authentication with a known username that has sufficient access permissions and/or write access to backup files is required. This issue has been fixed in versions 16.0.71 and 17.0.6.
Title Free PBX backup: Deserialization of Untrusted Data in admin/modules/backup/Models/BackupSplFileInfo.php
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Freepbx Security-reporting
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-18T21:28:38.708Z

Reserved: 2026-02-17T01:41:24.605Z

Link: CVE-2026-26978

cve-icon Vulnrichment

Updated: 2026-05-18T21:28:06.863Z

cve-icon NVD

Status : Received

Published: 2026-05-18T21:16:39.723

Modified: 2026-05-18T21:16:39.723

Link: CVE-2026-26978

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T22:30:25Z

Weaknesses