CVE-2026-44239 Overview
CVE-2026-44239 is a Local File Inclusion (LFI) vulnerability in FreePBX, an open source IP PBX platform maintained by Sangoma. The flaw resides in the Dashboard module's getcontent AJAX handler, which includes PHP files based on user-supplied input without path sanitization. An authenticated attacker can manipulate the rawname parameter to traverse the filesystem and execute arbitrary .class.php files. The issue affects FreePBX versions prior to 16.0.22 and 17.0.5, and is tracked under [CWE-98] (Improper Control of Filename for Include/Require Statement in PHP Program).
Critical Impact
Authenticated attackers can include arbitrary .class.php files on the server filesystem, leading to PHP code execution in the context of the FreePBX web application.
Affected Products
- Sangoma FreePBX versions prior to 16.0.22
- Sangoma FreePBX versions prior to 17.0.5
- FreePBX Dashboard module (getcontent AJAX handler)
Discovery Timeline
- 2026-05-29 - CVE-2026-44239 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-44239
Vulnerability Analysis
The vulnerability exists in the Dashboard module's getcontent AJAX handler. The handler accepts a rawname parameter from $_REQUEST and concatenates it directly into a PHP include() call with a .class.php suffix. Because the handler performs no path sanitization, attackers can submit input containing ../ traversal sequences to reference files outside the intended directory.
When the constructed path resolves to a valid .class.php file on the filesystem, PHP executes the file's top-level code before the dashboard logic attempts class instantiation. The subsequent instantiation error does not prevent execution of any code already evaluated during the include. This produces a usable code execution primitive against any .class.php file reachable on the host.
The attack requires network access to the FreePBX web interface and low-privilege authentication, but no user interaction. Impact extends to both confidentiality and integrity of the FreePBX instance.
Root Cause
The root cause is improper neutralization of user input used in a PHP file inclusion sink. The handler treats the rawname request parameter as a trusted identifier and appends it to an include path without validating against an allowlist, stripping directory separators, or canonicalizing the resulting path.
Attack Vector
An authenticated user sends a crafted HTTP request to the Dashboard getcontent endpoint with a rawname value containing ../ sequences. The server resolves the traversal, locates a .class.php file elsewhere on the filesystem, and executes its PHP code. Attackers can chain this with other plant-and-include techniques to achieve arbitrary code execution.
No verified exploit code is publicly available. See the FreePBX GitHub Security Advisory for vendor-provided technical details.
Detection Methods for CVE-2026-44239
Indicators of Compromise
- HTTP requests to the FreePBX Dashboard getcontent AJAX endpoint containing rawname values with ../ or URL-encoded %2e%2e%2f sequences.
- Web server access logs showing unusual rawname parameter values referencing paths outside the Dashboard module directory.
- PHP error logs containing class instantiation failures immediately following successful file inclusions from atypical paths.
Detection Strategies
- Inspect Apache or Nginx access logs for requests to the Dashboard module containing path traversal patterns in query strings or POST bodies.
- Monitor PHP include() and require() activity through runtime application self-protection (RASP) or auditd file-access telemetry on .class.php files.
- Correlate authenticated FreePBX administrator sessions with anomalous Dashboard endpoint usage outside normal operational patterns.
Monitoring Recommendations
- Forward FreePBX web server and PHP-FPM logs to a centralized SIEM for retention and pattern matching on path traversal signatures.
- Alert on child process creation by the FreePBX web user (typically asterisk or www-data) spawning shells, network utilities, or scripting interpreters.
- Track file integrity on the FreePBX modules directory to detect attacker-staged .class.php files used as inclusion targets.
How to Mitigate CVE-2026-44239
Immediate Actions Required
- Upgrade FreePBX to version 16.0.22 or 17.0.5, which contain the official fix for the Dashboard getcontent handler.
- Restrict access to the FreePBX administrative web interface to trusted management networks using firewall or reverse-proxy controls.
- Audit existing administrator accounts and rotate credentials for any account that may have been exposed.
Patch Information
Sangoma has released fixed versions in FreePBX 16.0.22 and 17.0.5. Apply updates through the standard FreePBX module update mechanism or by following vendor instructions in the GitHub Security Advisory GHSA-hw7v-v2jp-wc4v.
Workarounds
- If immediate patching is not possible, restrict access to the Dashboard module's getcontent AJAX endpoint at the web server layer until upgrade.
- Place the FreePBX administrative interface behind a VPN or zero-trust gateway to eliminate exposure to untrusted networks.
- Review and minimize the set of authenticated users with access to the FreePBX web interface to reduce the population able to reach the vulnerable handler.
# Example: restrict the Dashboard getcontent endpoint via Apache until patched
<LocationMatch "/admin/ajax\.php">
Require ip 10.0.0.0/24
</LocationMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
