Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable API needing only a low-privilege read token (PR:L, AC:L); leaked host/trunk secrets and arbitrary saved-query execution cross into the Asterisk backend (S:C, C:H/I:H), with no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERM_READ access was sufficient to call fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup_status, fm_whos_calling, fm_run_saved_query, and fm_diagnose_trunk, exposing AMI manager secrets, outbound dial PINs, full Asterisk dialplan context, root SSH connection commands, backup artifact paths, CDR history, arbitrary saved GraphQL query execution, and raw AMI endpoint dumps containing SIP fields such as password, md5_cred, and oauth_secret. This issue is fixed in version 1.6.3.
AnalysisAI
Missing authorization in Frogman, a headless Asterisk PBX control layer exposed over MCP and an HTTP API, lets any low-privilege PERM_READ caller invoke eight administrative tools (fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup_status, fm_whos_calling, fm_run_saved_query, fm_diagnose_trunk) that should require admin, leaking AMI manager secrets, outbound dial PINs, full dialplan context, root SSH connection commands, backup artifact paths, CDR history, and raw AMI endpoint dumps containing SIP password/md5_cred/oauth_secret fields, plus executing arbitrary saved GraphQL queries. All releases prior to 1.6.3 are affected, tracked under GHSA-q4c4-5cr4-8q47 with a CVSS 4.0 score of 9.3. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid low-privilege PERM_READ credential/token for the Frogman MCP or HTTP API (PR:L) plus network reachability to that API (AV:N); no user interaction and no admin rights are needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) describes a remotely reachable, low-complexity flaw requiring only low-privilege authentication, with high confidentiality and integrity impact on both the vulnerable system (VC:H/VI:H) and subsequent systems (SC:H/SI:H) - the latter reflecting that leaked AMI secrets, root SSH commands, and PINs enable pivoting into the underlying Asterisk host and telephony trunk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who obtains any low-privilege PERM_READ token - for example a shared read-only automation credential or a compromised MCP client - calls fm_diagnose_trunk and fm_list_managers over the network and receives AMI manager secrets and raw SIP credentials (password, md5_cred, oauth_secret) in the response. With low attack complexity and no user interaction, they then use fm_show_context and fm_list_pinsets to harvest the dialplan and outbound PINs, and fm_run_saved_query to execute stored GraphQL queries, enabling toll fraud or lateral movement into the Asterisk host via disclosed root SSH commands. … |
| Remediation | Vendor-released patch: upgrade to Frogman 1.6.3, which reassigns the affected tools (notably fm_diagnose_trunk) to PERM_ADMIN and adds line-level redaction of SIP credential fields in pjsip endpoint/registration dumps before they reach responses or the audit log; follow GHSA-q4c4-5cr4-8q47 (https://github.com/mwtcmi/frogman/security/advisories/GHSA-q4c4-5cr4-8q47). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit Frogman deployment locations and access logs for exploitation attempts; within 7 days, upgrade all instances to Frogman 1.6.3 or later; within 30 days, rotate all AMI manager credentials, SIP passwords, SSH keys, and OAuth secrets, and conduct forensic analysis of administrative tool invocations during the vulnerability window.
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Code injection in Frogman before 1.6.2 lets an authenticated PERM_WRITE caller of the MCP/HTTP dialplan API inject arbit
Sensitive credential exposure in Frogman (an mwtcmi FreePBX module providing headless PBX control via MCP and an HTTP AP
Plaintext credential exposure in Frogman's audit logging pipeline allows any authenticated low-privilege user holding PE
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45002