Description
FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if these were not immediately changed by the Administrator who enabled UCP. Authenticated access to ACP is required for the initial setup of UCP generic templates, but after that, without further steps by the admin, unauthenticated users may be able to gain access. This vulnerability is fixed in 16.0.45 and 17.0.7.
Published: 2026-05-29
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FreePBX implements a user control panel (UCP) that can be accessed without authentication if the administrator does not change the hard‑coded initial template credentials. The vulnerability exists from version 15.0.42 to just before 16.0.45 and from 17.0.0 up to 17.0.7. Once an attacker obtains these default credentials they can log in and manage PBX configurations, exposing the system to arbitrary changes, eavesdropping, or further compromise. The CVSS score of 9.3 indicates a critical effect on confidentiality, integrity, and availability.

Affected Systems

The issue affects the FreePBX platform, specifically versions 15.0.42 through 16.0.44 and the 17.0 series up to 17.0.7. No other vendors or products are listed, and the vulnerability is tied to the UCP interface of FreePBX.

Risk and Exploitability

The high CVSS score and the lack of authentication requirement result in a high risk of exploitation. Although EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, the scenario remains a critical threat because any unauthenticated user who can reach the UCP interface can leverage the default credentials. A likely attack vector is via the web interface, where attackers browse to the UCP installation page and supply the known default login credentials.

Generated by OpenCVE AI on May 29, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FreePBX 16.0.45 or later, or 17.0.7 or later, to apply the vendor fix.
  • If an upgrade is not immediately possible, change or disable all hard‑coded UCP template credentials and restrict UCP access until the patch is deployed.
  • Apply network or firewall rules to block unauthenticated access to the UCP web endpoints until the vulnerability is resolved.

Generated by OpenCVE AI on May 29, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Sangoma
Sangoma freepbx
CPEs cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*
Vendors & Products Sangoma
Sangoma freepbx
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Freepbx
Freepbx security-reporting
Vendors & Products Freepbx
Freepbx security-reporting

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if these were not immediately changed by the Administrator who enabled UCP. Authenticated access to ACP is required for the initial setup of UCP generic templates, but after that, without further steps by the admin, unauthenticated users may be able to gain access. This vulnerability is fixed in 16.0.45 and 17.0.7.
Title FreePBX: Unauthenticated Use of Hard-Coded Credentials Vulnerability in FreePBX UCP Interface
Weaknesses CWE-798
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Freepbx Security-reporting
Sangoma Freepbx
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T14:00:06.115Z

Reserved: 2026-05-13T19:53:47.921Z

Link: CVE-2026-46376

cve-icon Vulnrichment

Updated: 2026-05-29T13:59:57.465Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-29T14:16:31.677

Modified: 2026-06-01T18:38:48.663

Link: CVE-2026-46376

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:30:04Z

Weaknesses
  • CWE-798

    Use of Hard-coded Credentials