CVE-2026-23738 Overview
Asterisk, the widely-deployed open source private branch exchange (PBX) and telephony toolkit, contains a reflected Cross-Site Scripting (XSS) vulnerability in its HTTP status endpoint. User-supplied values for Cookies and GET variable query parameters are directly interpolated into the HTML response without proper sanitization, allowing attackers on an adjacent network to inject malicious scripts into web pages viewed by users.
Critical Impact
Attackers on adjacent networks can inject malicious scripts via the /httpstatus endpoint, potentially capturing session tokens, credentials, or performing actions on behalf of authenticated users interacting with the Asterisk web interface.
Affected Products
- Asterisk versions prior to 20.7-cert9
- Asterisk versions prior to 20.18.2, 21.12.1, 22.8.2, and 23.2.2
- Asterisk deployments with HTTP status endpoint enabled
Discovery Timeline
- 2026-02-06 - CVE CVE-2026-23738 published to NVD
- 2026-02-06 - Last updated in NVD database
Technical Details for CVE-2026-23738
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Cross-Site Scripting). The core issue resides in the asterisk/main/http.c file where the HTTP status endpoint handler processes incoming requests. When a user accesses the /httpstatus endpoint, the Asterisk HTTP server retrieves cookie values and GET query parameters and passes them directly to the ast_str_append function.
The ast_str_append function concatenates these user-controlled values directly into the HTML response body without performing any encoding or sanitization. This allows an attacker to craft malicious URLs containing JavaScript payloads in query parameters or manipulate cookie values to inject scripts that execute when the response page is rendered in a victim's browser.
The vulnerability requires user interaction as the victim must access a malicious link or have manipulated cookies, and the attacker must be on an adjacent network segment, which limits the overall exposure.
Root Cause
The root cause is improper output encoding in the HTTP status page generation code. The ast_str_append function in http.c directly interpolates user-controlled input (cookies and GET parameters) into HTML output without applying HTML entity encoding or other XSS prevention measures. This violates secure coding principles that mandate all untrusted data be encoded before being inserted into HTML contexts.
Attack Vector
The attack requires adjacency to the target network, meaning the attacker must be on the same network segment as either the Asterisk server or the victim user. An attacker can craft a malicious URL containing JavaScript payload in query parameters and trick a user into clicking the link. When the victim's browser loads the /httpstatus page, the injected script executes in the context of the Asterisk web interface.
The vulnerability can be exploited to steal session information, capture credentials entered on the page, or perform unauthorized actions if the victim has administrative privileges. Since no authentication is required to trigger the vulnerability, any user who can be convinced to click a crafted link while on the adjacent network is at risk.
Detection Methods for CVE-2026-23738
Indicators of Compromise
- Unusual access patterns to the /httpstatus endpoint with encoded JavaScript in query strings
- HTTP request logs showing suspicious characters such as <script>, javascript:, or encoded variants in URL parameters
- Cookie values containing HTML or JavaScript syntax
- Unexpected outbound connections from user browsers after accessing Asterisk web interfaces
Detection Strategies
- Monitor HTTP access logs for requests to /httpstatus containing script tags or event handlers
- Implement web application firewall rules to detect XSS payloads in query parameters
- Enable Content Security Policy (CSP) violation reporting to detect attempted script injections
- Review Asterisk HTTP server logs for anomalous GET parameter patterns
Monitoring Recommendations
- Configure alerting for HTTP requests to /httpstatus with parameters exceeding normal length or containing suspicious patterns
- Implement network segmentation monitoring to detect unauthorized adjacent network access
- Deploy browser-based XSS detection tools for administrators accessing Asterisk web interfaces
How to Mitigate CVE-2026-23738
Immediate Actions Required
- Upgrade Asterisk to patched versions: 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2
- Restrict network access to the HTTP status endpoint to trusted administrative networks only
- Implement web application firewall rules to filter XSS payloads targeting the /httpstatus endpoint
- Review access logs for evidence of exploitation attempts
Patch Information
The Asterisk development team has released patched versions that properly sanitize user input before HTML interpolation. Organizations should upgrade to one of the following versions based on their deployment branch:
- Version 20.7-cert9 for certified branch users
- Version 20.18.2 for 20.x branch users
- Version 21.12.1 for 21.x branch users
- Version 22.8.2 for 22.x branch users
- Version 23.2.2 for 23.x branch users
For additional technical details, refer to the GitHub Security Advisory.
Workarounds
- Disable the HTTP status endpoint if not required for operational purposes by modifying http.conf
- Restrict access to the Asterisk HTTP interface using firewall rules or ACLs to limit exposure to trusted networks
- Implement a reverse proxy with XSS filtering capabilities in front of the Asterisk HTTP server
- Deploy Content Security Policy headers via reverse proxy to mitigate script execution
# Configuration example - Restrict HTTP access in http.conf
[general]
enabled=no
; Or restrict to specific bind address
; bindaddr=127.0.0.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
