Description
FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL moduleOperations mutation with backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.
Published: 2026-04-21
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

FreePBX api module versions up to 17.0.8 allow an authenticated user with a bearer token to inject shell commands into a GraphQL mutation. The vulnerable function directly passes the module field to shell_exec() without validation, enabling arbitrary command execution on the host as the web server user.

Affected Systems

The vulnerability affects FreePBX api module version 17.0.8 and earlier. Users running these versions should verify their installation of FreePBX and assess whether the GraphQL API is exposed to authenticated users.

Risk and Exploitability

The issue carries a CVSS score of 8.6, indicating high severity, and is not listed in the CISA KEV catalog. Although EPSS data is unavailable, the combination of a privilege-required authenticated attacker and the ability to run arbitrary commands suggests a significant risk of compromise for the underlying system.

Generated by OpenCVE AI on April 21, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreePBX to a version newer than 17.0.8 that includes the defense against command injection.
  • If an upgrade is not immediately possible, apply the patch from the commit that replaces the insecure shell_exec call with sanitized handling of input.
  • Restrict access to the GraphQL API to trusted administrators only, or disable the moduleOperations mutation if the API is not required for your deployment.

Generated by OpenCVE AI on April 21, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freepbx:api:*:*:*:*:*:*:*:*

Tue, 21 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Freepbx
Freepbx api
Vendors & Products Freepbx
Freepbx api

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL moduleOperations mutation with backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.
Title FreePBX api module Command Injection via GraphQL
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Freepbx Api
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-21T13:32:06.116Z

Reserved: 2026-04-13T20:29:02.810Z

Link: CVE-2026-40520

cve-icon Vulnrichment

Updated: 2026-04-21T13:31:56.061Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:20.380

Modified: 2026-04-23T16:27:06.970

Link: CVE-2026-40520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:00:03Z

Weaknesses