CVE-2026-49843 - Vulnerability Details

Description

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's JSON-RPC handler bound the connection to the client-supplied sessid on the first frame, before the authentication gate. Binding inserts the connection into the global session hash and, on a key collision, drops the prior occupant of that slot — sending it a verto.punt, detaching its calls, and closing its socket. An unauthenticated network attacker who knows a target session UUID could therefore evict the legitimate client. This issue has been patched in version 1.11.1.

Published: 2026-06-09

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

FreeSWITCH’s mod_verto module allowed an attacker to bind a chosen session identifier before authentication. By sending a frame that claimed ownership of a sessid that already belonged to an active connection, the module inserted the new connection into the global session hash and dropped the previous occupant, delivering a verto.punt that detaches the client’s calls and closes the socket. The flaw is effectively an authentication bypass (CWE-287) that permits an unauthenticated network attacker to sever legitimate sessions, causing service disruption.

Affected Systems

The vulnerability exists in the FreeSWITCH signaling platform from SignalWire, specifically the mod_verto JSON-RPC handler in all versions released before 1.11.1. Any system running FreeSWITCH without the 1.11.1 or later patch that implements the corrected session binding logic is affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker requires network access to the mod_verto endpoints and knowledge of a valid sessid to trigger the eviction. The exploit can be performed without authentication, making it a straightforward denial-of-service attack on affected hosts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

signalwire

freeswitch

affected

Version	Status	Constraints
`< 1.11.1`	affected	—

No data.

Vendor Product Confidence Versions

Signalwire

Freeswitch

100%

Version	Status	Scheme	Platform
`[0,1.11.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the FreeSWITCH 1.11.1 or later patch that fixes the pre-authentication session binding in mod_verto
If upgrading is not immediately feasible, restrict access to the mod_verto interface by firewalling or isolating the port to trusted internal hosts
Enable logging and monitor for verto.punt or abrupt session detachments to detect potential exploitation attempts

Generated by OpenCVE AI on June 9, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/signalwire/freeswitch/releases/tag/v1.11.1
https://github.com/signalwire/freeswitch/security/advisories/GHSA-9457-fxr9-x78m

History

Tue, 09 Jun 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Signalwire Signalwire freeswitch
Vendors & Products		Signalwire Signalwire freeswitch

Tue, 09 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's JSON-RPC handler bound the connection to the client-supplied sessid on the first frame, before the authentication gate. Binding inserts the connection into the global session hash and, on a key collision, drops the prior occupant of that slot — sending it a verto.punt, detaching its calls, and closing its socket. An unauthenticated network attacker who knows a target session UUID could therefore evict the legitimate client. This issue has been patched in version 1.11.1.
Title		FreeSWITCH: Pre-authentication session eviction via attacker-chosen `sessid` in `mod_verto`
Weaknesses		CWE-287
References		https://github.com/signalwire/freeswitch/releases/tag/v1.11.1 https://github.com/signalwire/freeswitch/security/advisories/GHSA-9457-fxr9-x78m
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Signalwire Freeswitch

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-09T16:04:55.308Z

Updated: 2026-06-09T16:04:55.308Z

Reserved: 2026-06-01T18:50:36.057Z

Link: CVE-2026-49843

Vulnrichment

No data.

NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:48.170

Modified: 2026-06-09T19:32:29.743

Link: CVE-2026-49843

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T17:45:10Z

Weaknesses

CWE-287

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object