CVE-2026-44237

Published: Mag 29, 2026 Last Modified: Mag 29, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,6

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client_id to obtain OAuth2 access tokens without providing the correct client_secret. This vulnerability is fixed in 17.0.8.

1390

Weak Authentication

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Confidentiality Availability Access Control

Potential Impacts:

Read Application Data Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands

Applicable Platforms

Technologies: ICS/OT, Not Technology-Specific

View CWE Details

https://github.com/FreePBX/security-reporting/security/advi…

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vgjf-4h6…

CVE-2026-44237

Description

Weak Authentication

Common Consequences

Applicable Platforms

Iscriviti alla newsletter