Skip to main content

FreeSWITCH EUVDEUVD-2026-35495

| CVE-2026-49848 MEDIUM
Improper Authentication (CWE-287)
2026-06-09 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 18:02 EUVD
Source Code Evidence Fetched
Jun 09, 2026 - 16:52 vuln.today
Analysis Generated
Jun 09, 2026 - 16:52 vuln.today

DescriptionGitHub Advisory

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's check_auth userauth branch wrote request-supplied userVariables into the connection state before comparing the supplied password. The writes are append-only and the connection is not closed on a failed compare, so values declared on bad-password attempts persisted on the same WebSocket and carried into a subsequent successful login on that connection. This issue has been patched in version 1.11.1.

AnalysisAI

mod_verto session state pollution in FreeSWITCH allows an authenticated WebSocket user to inject arbitrary userVariables into connection state before password verification completes, with those values persisting into any subsequent successful login on the same connection. All versions prior to 1.11.1 are affected via the check_auth userauth branch, which performs append-only state writes before the password comparison gate, and crucially does not close the connection on a failed compare. No public exploit has been identified and the vulnerability is not in CISA KEV, but the vendor explicitly labeled this release a critical security fix and strongly urged immediate upgrade.

Technical ContextAI

FreeSWITCH (CPE: cpe:2.3:a:signalwire:freeswitch:*:*:*:*:*:*:*:*) is a software-defined telecom stack; mod_verto is its WebSocket/JSON-RPC signaling module used for browser-based real-time communications. The root cause is CWE-287 (Improper Authentication): the check_auth userauth code path wrote caller-supplied userVariables into the per-connection state object before evaluating whether the supplied password was correct. Because the writes are append-only and the WebSocket connection is not torn down on authentication failure, any userVariables written during a failed attempt survive on the connection object. When the same WebSocket connection subsequently carries a successful login, those previously written variables are already present in the connection state and are treated as legitimate session data. The fix, confirmed in the v1.11.1 release notes as '[mod_verto] Defer userauth state writes until after password gate,' moves the state mutation to after the password gate, eliminating the race between write and verify.

RemediationAI

Upgrade FreeSWITCH to version 1.11.1, the vendor-released patch that defers mod_verto userauth state writes until after the password gate. The fix is confirmed in the release notes at https://github.com/signalwire/freeswitch/releases/tag/v1.11.1 and the security advisory at https://github.com/signalwire/freeswitch/security/advisories/GHSA-j38x-xm7f-9p2f. If immediate upgrade is not possible, a compensating control is to disable mod_verto entirely if WebSocket/JSON-RPC signaling is not operationally required - note this will remove browser-based RTC functionality. Alternatively, restrict WebSocket access to mod_verto to trusted source IPs via firewall rules, reducing the pool of potential attackers to those already with network-level access; this limits exposure but does not eliminate the vulnerability for authorized low-privilege users who can still initiate connections. No side effects are expected from the upgrade itself beyond the behavioral change to auth sequencing.

CVE-2019-19492 CRITICAL POC
9.8 Dec 02

FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), th

CVE-2015-7392 HIGH POC
7.5 Oct 05

Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x

CVE-2021-41158 HIGH POC
7.5 Oct 26

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41145 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-41105 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-37624 HIGH POC
7.5 Oct 25

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2021-36513 HIGH POC
7.5 Oct 18

An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may all

CVE-2018-19911 HIGH POC
7.5 Dec 06

FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api

CVE-2013-2238 MEDIUM POC
6.8 Sep 30

Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote a

CVE-2023-40019 MEDIUM POC
6.5 Sep 15

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2023-51443 MEDIUM POC
5.9 Dec 27

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to

CVE-2026-49841 CRITICAL
9.8 Jun 09

Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt

Share

EUVD-2026-35495 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy