Skip to main content

FreePBX EUVDEUVD-2026-33295

| CVE-2026-46376 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-05-29 GitHub_M
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 29, 2026 - 15:01 EUVD
Analysis Generated
May 29, 2026 - 14:32 vuln.today
CVSS changed
May 29, 2026 - 14:22 NVD
9.3 (CRITICAL)

DescriptionGitHub Advisory

FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if these were not immediately changed by the Administrator who enabled UCP. Authenticated access to ACP is required for the initial setup of UCP generic templates, but after that, without further steps by the admin, unauthenticated users may be able to gain access. This vulnerability is fixed in 16.0.45 and 17.0.7.

AnalysisAI

Authentication bypass in FreePBX User Control Panel (UCP) versions 15.0.42 through 16.0.44 and 17.0.0 through 17.0.6 allows remote unauthenticated attackers to access UCP accounts using hard-coded initial template credentials when administrators fail to rotate them after enabling the feature. With a CVSS 4.0 score of 9.3 and CWE-798 (Use of Hard-coded Credentials), the flaw exposes high-confidentiality and high-integrity impact to the affected component, though no public exploit identified at time of analysis.

Technical ContextAI

FreePBX is a widely deployed open-source GUI front-end for the Asterisk VoIP/PBX engine, used to manage telephony, voicemail, IVR, and user features. The vulnerable component is the User Control Panel (UCP), the end-user web portal allowing users to manage their voicemail, call recordings, contacts, and call routing. CWE-798 (Use of Hard-coded Credentials) is the root cause: the initial UCP generic template ships with fixed credentials that are configured during ACP setup but persist as a valid login path until an administrator explicitly rotates or removes them. Because the credentials are static and known (or discoverable via source code), any party reaching the UCP login can authenticate as the template user. The affected CPE is cpe:2.3:a:freepbx:security-reporting:*, corresponding to FreePBX's security-reporting module that issued the advisory.

RemediationAI

Vendor-released patches are available in FreePBX 16.0.45 and 17.0.7, and operators should upgrade to one of these versions immediately following the GitHub Security Advisory at https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m55x-h47x-v3gx. Administrators on 15.x should plan migration to a fixed branch since no 15.x fix is named in the advisory. As a workaround pending the upgrade, administrators should disable UCP via the FreePBX Module Admin (which removes the end-user portal feature for all users), or, if UCP must remain enabled, immediately rotate or delete the initial UCP generic template credentials provisioned during ACP setup and audit existing UCP user accounts for unauthorized additions; additionally, restrict UCP web access to trusted internal networks via reverse-proxy ACLs or firewall rules, accepting that this prevents legitimate remote user portal access until the patch is applied.

Share

EUVD-2026-33295 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy