Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
4043 articles · 176711 vulns · 37/41 feeds (7d)
← Back to list
—
CVE-2026-44237PATCHED
freepbx · security-reporting

FreePBX: Authenticated Access can lead to Subsequent OAuth2 Authentication Bypass in API Module

Description

FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client_id to obtain OAuth2 access tokens without providing the correct client_secret. This vulnerability is fixed in 17.0.8.

Affected Products

VendorProductVersions
freepbxsecurity-reporting< 17.0.8

References

  • https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vgjf-4h63-8vcc(x_refsource_CONFIRM)

Related News (1 articles)

Tier C
VulDB49d ago
CVE-2026-44237 | FreePBX up to 17.0.7 API Module ClientRepository.php validateClient weak authentication (GHSA-vgjf-4h63-8vcc)
→ No new info (linked only)
CISA KEV❌ No
Actively exploited❌ No
Patch available
17.0.8
CWECWE-1390
PublishedMay 29, 2026
Last enriched49d agov2
Tags
CVE-2026-44237
Trending Score0
Source articles1
Independent1
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALPRE-CVE
Unauthenticated Remote Code Execution in FreePBX UCP via Socket.IO Namespace Auth Bypass and AMI Action Injection
Trending: 30
NONECVE-2026-26978EXP
Free PBX backup: Deserialization of Untrusted Data in admin/modules/backup/Models/BackupSplFileInfo.php
NONECVE-2026-44239EXP
FreePBX: Authenticated Local File Inclusion in Dashboard Module
NONECVE-2026-40520
FreePBX api module Command Injection via GraphQL
NONECVE-2026-44238EXP
FreePBX: Authenticated SQL Injection via ORDER BY in CDR Reports

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
May 29, 2026
Discovered by ZDM
May 29, 2026
Updated: description, severity, patchAvailable, tags
May 29, 2026
Patch Available
May 30, 2026

Version History

v2
Last enriched 49d ago
v2Tier C49d ago

Updated description with new technical details, changed severity to CRITICAL, and added patch version 17.0.8 and CVE-2026-44237 tag.

descriptionseveritypatchAvailabletags
via VulDB
v149d ago

Initial creation