CVE-2026-44238 Overview
CVE-2026-44238 is a SQL injection vulnerability in FreePBX, an open source IP PBX platform maintained by Sangoma. The flaw resides in the Call Detail Record (CDR) Reports module, where the order and sort POST parameters are passed into database queries without proper sanitization [CWE-89]. Authenticated attackers with CDR section access in the FreePBX Administration Control Panel can inject arbitrary SQL statements. Full administrator privileges are not required to exploit the issue. The vulnerability affects FreePBX versions prior to 16.0.50 and 17.0.11.
Critical Impact
Authenticated users with limited CDR access can execute arbitrary SQL queries against the FreePBX database, exposing call records, credentials, and configuration data.
Affected Products
- Sangoma FreePBX versions prior to 16.0.50
- Sangoma FreePBX versions prior to 17.0.11
- FreePBX CDR Reports module
Discovery Timeline
- 2026-05-29 - CVE-2026-44238 published to the National Vulnerability Database
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-44238
Vulnerability Analysis
The vulnerability exists in the CDR Reports module of FreePBX, which generates reports from stored call detail records. When users submit a report request, the module accepts order and sort parameters via HTTP POST to control result ordering. These parameters are concatenated into the resulting SQL query without parameterization or strict allow-listing. An authenticated attacker can supply crafted values that break out of the intended ORDER BY clause and append arbitrary SQL fragments. The injected SQL executes under the database role used by FreePBX, granting read and write access to the underlying tables, including extension credentials, SIP secrets, voicemail data, and configuration values.
Root Cause
The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. ORDER BY clauses cannot be parameterized through prepared statements, so the affected code path relied on direct string interpolation of the order and sort POST values. The application did not validate these inputs against a fixed allow-list of column names and sort directions, leaving the query template open to injection.
Attack Vector
Exploitation requires network access to the FreePBX Administration Control Panel and a valid account with CDR section access. The attacker submits a POST request to the CDR Reports endpoint with malicious order or sort values. Because the attack vector is network-based and requires no user interaction, an attacker who has obtained any low-privileged administrative account, including through credential reuse or phishing, can pivot to full database compromise. See the FreePBX GitHub Security Advisory GHSA-p9fq-fmpw-2h9x for additional technical context.
Detection Methods for CVE-2026-44238
Indicators of Compromise
- POST requests to CDR Reports endpoints containing SQL keywords such as UNION, SELECT, SLEEP, or -- within the order or sort parameters
- Unexpected database errors logged by FreePBX referencing malformed ORDER BY clauses
- Anomalous read access to sensitive tables such as sip, users, or voicemail from the FreePBX database user
- Authentication events from CDR-scoped accounts followed by atypical query volumes
Detection Strategies
- Inspect web server access logs for POST requests to CDR module URLs and flag non-alphanumeric content in order and sort parameters
- Enable MySQL or MariaDB general query logging temporarily to identify malformed ORDER BY constructs originating from the FreePBX process
- Correlate FreePBX admin session events with database query volume to identify low-privilege accounts issuing high-impact queries
Monitoring Recommendations
- Forward Apache or Nginx access logs and FreePBX application logs to a centralized log platform for query analysis
- Alert on any CDR Reports request containing URL-encoded SQL metacharacters such as %27, %3B, or %2D%2D
- Track changes to FreePBX administrator accounts and CDR section permissions to detect unauthorized privilege grants
How to Mitigate CVE-2026-44238
Immediate Actions Required
- Upgrade FreePBX to version 16.0.50 or 17.0.11, which contain the official fix for the order and sort parameter handling
- Audit all FreePBX administrator accounts and revoke CDR section access for users who do not require it
- Rotate SIP secrets, voicemail PINs, and administrator passwords if compromise is suspected
- Restrict network access to the FreePBX Administration Control Panel using firewall rules or VPN gating
Patch Information
Sangoma released patched builds in FreePBX 16.0.50 and 17.0.11. The fix introduces strict validation of the order and sort parameters against an allow-list of permitted column names and sort directions. Administrators should apply updates through the FreePBX Module Admin interface or by running fwconsole ma upgradeall followed by fwconsole reload. Refer to the GitHub Security Advisory GHSA-p9fq-fmpw-2h9x for advisory details.
Workarounds
- Remove CDR section access from non-essential administrator accounts until patching is complete
- Place a web application firewall in front of the FreePBX Administration Control Panel and block requests containing SQL metacharacters in order or sort
- Restrict the FreePBX database user to the minimum privileges required by the application
# Apply FreePBX module updates from the CLI
fwconsole ma upgradeall
fwconsole reload
fwconsole restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
