top of page
perceptive_background_267k.jpg

FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input field…

Published:

20 april 2026 om 22:00:00

Alert date:

21 april 2026 om 17:05:49

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Enterprise Applications

FreePBX API module version 17.0.8 and prior contains a command injection vulnerability in the initiateGqlAPIProcess() function. The vulnerability allows authenticated users with valid bearer tokens to execute arbitrary commands on the underlying host through GraphQL mutation input fields that are passed directly to shell_exec() without proper sanitization. Attackers can exploit this by sending GraphQL moduleOperations mutations with backtick-wrapped commands in the module field, gaining code execution privileges as the web server user.

Technical details

Mitigation steps:

Affected products:

FreePBX API module

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-40520
https://github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/Api.class.php#L546C1-L554C3
https://github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/ApiGqlHelper.class.php#L34C1-L36C136
https://github.com/FreePBX/api/commit/5f194e39a47e5481e8947f9694304d32724175f6
https://www.vulncheck.com/advisories/freepbx-api-module-command-injection-via-graphql

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page