Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL moduleOperations mutation with backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.
AnalysisAI
Command injection in FreePBX API module 17.0.8 and earlier allows authenticated attackers with valid bearer tokens to execute arbitrary operating system commands as the web server user via malicious GraphQL mutations. The initiateGqlAPIProcess() function passes unsanitized GraphQL moduleOperations mutation input directly to shell_exec(), enabling backtick-wrapped command execution. While requiring high privileges (PR:H), the vulnerability provides complete system compromise within the web server context (CVSS 8.6). Vendor patch available via GitHub commit 5f194e39. No public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
FreePBX is an open-source web-based GUI for managing Asterisk PBX systems. The vulnerability resides in the API module's GraphQL implementation, specifically in the initiateGqlAPIProcess() function within ApiGqlHelper.class.php. This function accepts GraphQL mutation input for module operations and passes field values directly to PHP's shell_exec() without input validation, escaping, or sanitization. The CWE-78 (OS Command Injection) flaw occurs when the module field containing backtick-enclosed commands is interpolated into shell commands. The affected CPE (cpe:2.3:a:freepbx:api:*:*:*:*:*:*:*:*) indicates all versions through 17.0.8 of the FreePBX API module contain this flaw. GraphQL's flexible mutation syntax combined with bearer token authentication creates an authenticated remote code execution primitive that bypasses traditional web application firewalls focused on REST API patterns.
RemediationAI
Apply the vendor-released patch available in GitHub commit 5f194e39a47e5481e8947f9694304d32724175f6 (https://github.com/FreePBX/api/commit/5f194e39a47e5481e8947f9694304d32724175f6). This commit addresses the command injection by implementing proper input sanitization in the initiateGqlAPIProcess() function. Upgrade to FreePBX API module version 17.0.9 or later once a tagged release incorporating this fix is published. As interim mitigation if patching is delayed: (1) restrict network access to the FreePBX GraphQL API endpoint to trusted management networks only via firewall rules or reverse proxy ACLs - this reduces attack surface but does not eliminate insider threat risk, (2) audit and rotate all bearer tokens with API access, implementing short token lifetimes and principle of least privilege, (3) enable audit logging for all GraphQL mutation operations to detect exploitation attempts via unusual moduleOperations patterns, (4) consider disabling the GraphQL API functionality entirely if not operationally required (note: this may break dependent FreePBX modules or integrations). Review web server and application logs for GraphQL requests containing backtick characters or shell metacharacters in module fields as potential indicators of compromise.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24086
GHSA-h2vx-h73q-6q6w