Skip to main content

FreeSWITCH CVE-2026-49843

| EUVDEUVD-2026-35492 MEDIUM
Improper Authentication (CWE-287)
2026-06-09 GitHub_M
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 18:02 EUVD
Source Code Evidence Fetched
Jun 09, 2026 - 16:51 vuln.today
Analysis Generated
Jun 09, 2026 - 16:51 vuln.today

DescriptionGitHub Advisory

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's JSON-RPC handler bound the connection to the client-supplied sessid on the first frame, before the authentication gate. Binding inserts the connection into the global session hash and, on a key collision, drops the prior occupant of that slot - sending it a verto.punt, detaching its calls, and closing its socket. An unauthenticated network attacker who knows a target session UUID could therefore evict the legitimate client. This issue has been patched in version 1.11.1.

AnalysisAI

Session eviction via unauthenticated sessid collision in FreeSWITCH mod_verto (all versions prior to 1.11.1) allows a remote unauthenticated attacker who knows a target client's session UUID to forcibly disconnect that client - terminating active calls and closing their WebSocket connection - by racing a crafted JSON-RPC first-frame before the authentication gate. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms full network reachability with no credentials required; the sole prerequisite is knowledge of the victim's session UUID. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.

Technical ContextAI

FreeSWITCH is a software-defined telecom stack developed by SignalWire (CPE: cpe:2.3:a:signalwire:freeswitch:*:*:*:*:*:*:*:*). The affected component is mod_verto, its WebSocket-based JSON-RPC interface used for real-time browser-to-phone and SIP bridging. The flaw is classified as CWE-287 (Improper Authentication): on the very first JSON-RPC frame received over a new WebSocket connection, the handler extracts the client-supplied 'sessid' field and immediately inserts the connection into the global session hash table - binding the socket identity before any password check occurs. When an attacker supplies a sessid matching an already-resident legitimate session, the hash insert triggers a collision-resolution path that drops the prior occupant: the evicted client receives a 'verto.punt' signaling event, its in-progress calls are detached, and its TCP socket is closed. The release notes for v1.11.1 confirm the fix as 'Gate sessid bind on auth, block cross-identity eviction,' alongside the related 'Defer userauth state writes until after password gate,' indicating the authentication gate was moved earlier in the connection lifecycle.

RemediationAI

Upgrade to FreeSWITCH v1.11.1, confirmed as the vendor-released patch at https://github.com/signalwire/freeswitch/releases/tag/v1.11.1. The v1.11.1 release notes explicitly list 'Gate sessid bind on auth, block cross-identity eviction' as the targeted security fix and characterize the release as containing 'critical security fixes'; SignalWire strongly encourages immediate upgrade. If immediate patching is not feasible, restrict access to the mod_verto WebSocket port (typically TCP 8081/8082) to trusted IP ranges via firewall or reverse-proxy ACLs - this prevents unauthenticated external actors from reaching the vulnerable handler, though it does not eliminate risk from trusted-network attackers who may already possess session UUIDs. Note that completely disabling mod_verto is a more aggressive workaround only viable for deployments that do not depend on the Verto protocol for browser or WebRTC clients; doing so would terminate those call paths. The v1.11.1 release also patches a heap overflow in the mod_verto HTTP POST body reader and a use-after-free in the core session thread pool, making the upgrade advisable on multiple independent security grounds.

CVE-2019-19492 CRITICAL POC
9.8 Dec 02

FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), th

CVE-2015-7392 HIGH POC
7.5 Oct 05

Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x

CVE-2021-41158 HIGH POC
7.5 Oct 26

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41145 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41105 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-37624 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-36513 HIGH POC
7.5 Oct 18

An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may all

CVE-2018-19911 HIGH POC
7.5 Dec 06

FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api

CVE-2013-2238 MEDIUM POC
6.8 Sep 30

Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote a

CVE-2023-40019 MEDIUM POC
6.5 Sep 15

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2023-51443 MEDIUM POC
5.9 Dec 27

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2026-49841 CRITICAL
9.8 Jun 09

Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt

Share

CVE-2026-49843 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy