CVE-2026-44237 Overview
CVE-2026-44237 is an authentication bypass vulnerability in the FreePBX api module's OAuth2 implementation. FreePBX is an open source IP PBX platform maintained by Sangoma. The validateClient() method in ClientRepository.php unconditionally returns true, skipping verification of the client_secret during OAuth2 token issuance. An attacker who knows a valid client_id can request and receive valid OAuth2 access tokens without supplying the corresponding secret. The flaw affects all FreePBX releases prior to 17.0.8 and is categorized under [CWE-1390] (Weak Authentication). Sangoma resolved the issue in version 17.0.8.
Critical Impact
Attackers with knowledge of a valid client_id can mint OAuth2 access tokens and reach API functionality without possessing the client_secret, enabling unauthorized access to PBX configuration and call data.
Affected Products
- Sangoma FreePBX versions prior to 17.0.8
- FreePBX api module (OAuth2 implementation)
- Deployments exposing the FreePBX API endpoint to untrusted networks
Discovery Timeline
- 2026-05-29 - CVE-2026-44237 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-44237
Vulnerability Analysis
The defect resides in the FreePBX api module, which implements an OAuth2 authorization server for programmatic access. During the token issuance flow, the server is expected to verify both the supplied client_id and client_secret against stored credentials before issuing an access token. In affected versions, the validateClient() method in ClientRepository.php returns true unconditionally. The OAuth2 framework therefore treats every client credential pair as valid as long as the client_id resolves to a known record. An attacker who learns a client_id through enumeration, log exposure, or configuration leakage can complete the client credentials grant and obtain a usable bearer token. The vulnerability is network-reachable and requires no user interaction.
Root Cause
The root cause is missing credential verification logic inside validateClient(). The method should compare the submitted client_secret against the stored secret for the supplied client_id and return a boolean reflecting that comparison. Instead, the implementation returns true for any input. This is a classic instance of [CWE-1390] Weak Authentication, where an authentication routine exists in the call path but performs no meaningful check.
Attack Vector
An attacker sends an HTTP POST request to the FreePBX OAuth2 token endpoint using the client_credentials grant type. The request includes a known client_id and any value for client_secret. The server invokes validateClient(), which returns true, and the OAuth2 layer issues an access token. The attacker then presents the token to authenticated API endpoints to read or modify PBX configuration, extensions, trunks, and call records. Exploitation does not require prior session state or social engineering, and works from any network position that can reach the API listener.
No public exploit code is available at this time. Technical details are described in the FreePBX GitHub Security Advisory.
Detection Methods for CVE-2026-44237
Indicators of Compromise
- Successful OAuth2 token issuance events from unexpected source IP addresses against the FreePBX api module.
- Access token usage tied to client_id values that were not provisioned for the originating host.
- API calls modifying extensions, trunks, or dialplan configuration outside scheduled administration windows.
- Repeated POST requests to the token endpoint with varying client_secret values from the same source.
Detection Strategies
- Audit FreePBX web server logs for POST requests to the OAuth2 token endpoint and correlate issued tokens with known client provisioning records.
- Compare the client_id values appearing in token requests against the list of legitimately registered API clients.
- Alert on any administrative API action performed with a token issued to a recently created or rarely used client_id.
Monitoring Recommendations
- Forward FreePBX HTTP access logs and api module logs to a centralized log platform for retention and analysis.
- Monitor for outbound SIP trunk modifications, new extensions, and call forwarding changes made via API.
- Track authentication success rates and flag clients that never produce failed authentication attempts, which is consistent with bypassed validation.
How to Mitigate CVE-2026-44237
Immediate Actions Required
- Upgrade FreePBX and the api module to version 17.0.8 or later on all production and standby systems.
- Rotate every existing OAuth2 client_id and client_secret pair after patching, since tokens may have been issued without authentication.
- Revoke active OAuth2 access tokens issued by vulnerable releases.
- Restrict network exposure of the FreePBX administrative and API interfaces to trusted management networks.
Patch Information
Sangoma fixed the vulnerability in FreePBX 17.0.8. The patch updates validateClient() in ClientRepository.php to verify the supplied client_secret against the stored value before returning. Refer to the FreePBX Security Advisory GHSA-vgjf-4h63-8vcc for upgrade guidance.
Workarounds
- Block access to the FreePBX api module at the network boundary until 17.0.8 is deployed.
- Disable the api module in the FreePBX module administration interface if API access is not required.
- Place the FreePBX management interface behind a VPN or IP allow list to limit reachability of the token endpoint.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
