Description
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's check_auth userauth branch wrote request-supplied userVariables into the connection state before comparing the supplied password. The writes are append-only and the connection is not closed on a failed compare, so values declared on bad-password attempts persisted on the same WebSocket and carried into a subsequent successful login on that connection. This issue has been patched in version 1.11.1.
Published: 2026-06-09
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in FreeSWITCH’s mod_verto component allows an unauthenticated user to send arbitrary userVariables over a WebSocket connection before authentication is verified. The variables are written into the connection state before the supplied password is checked, and the connection remains open even if the password comparison fails. As a result, values set during a failed login attempt persist on the same WebSocket and are carried forward into a later successful login on that same connection. This persistence can lead to unauthorized manipulation of configuration or session state for a subsequently authenticated user.

Affected Systems

SignalWire’s FreeSWITCH product, specifically the mod_verto module in all releases earlier than version 1.11.1. Applications that rely on WebSocket sessions provided by mod_verto and that perform authentication checks after setting userVariables are susceptible.

Risk and Exploitability

Risk and exploitability: The CVSS score of 4.3 indicates moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation at present. An attacker who can establish an unauthenticated WebSocket connection to mod_verto may inject userVariables before authentication and, because the connection remains open after a failed password comparison, those variables persist across a subsequent successful login on the same session. This persistence can influence the authenticated session’s state. The vulnerability is mitigated only by applying the published patch.

Generated by OpenCVE AI on June 9, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeSWITCH to version 1.11.1 or later from the SignalWire repository and ensure the update is applied to all affected instances.
  • Restart the FreeSWITCH service or reload the mod_verto module so the modified authentication logic takes effect.
  • Restrict inbound traffic to the mod_verto WebSocket endpoint to trusted networks or block untrusted connections using a firewall or ACL.

Generated by OpenCVE AI on June 9, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Signalwire
Signalwire freeswitch
Vendors & Products Signalwire
Signalwire freeswitch

Tue, 09 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's check_auth userauth branch wrote request-supplied userVariables into the connection state before comparing the supplied password. The writes are append-only and the connection is not closed on a failed compare, so values declared on bad-password attempts persisted on the same WebSocket and carried into a subsequent successful login on that connection. This issue has been patched in version 1.11.1.
Title FreeSWITCH: Pre-authentication `userVariables` injection in `mod_verto`
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Signalwire Freeswitch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T16:53:15.989Z

Reserved: 2026-06-01T22:03:19.640Z

Link: CVE-2026-49848

cve-icon Vulnrichment

Updated: 2026-06-09T16:52:52.412Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:48.460

Modified: 2026-06-09T19:32:29.743

Link: CVE-2026-49848

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T19:00:15Z

Weaknesses