CVE-2026-44237: FreePBX: Authenticated Access can lead to Subsequent OAuth2 Authentication Bypass in API Module
FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client_id to obtain OAuth2 access tokens without providing the correct client_secret. This vulnerability is fixed in 17.0.8.
HarborGuard Analysis
HarborGuard analysisSynopsis
This is an OAuth2 authentication bypass in the FreePBX api module. The flaw is reachable over the network and requires a low-privilege authenticated session plus knowledge of a valid client_id, because ClientRepository.php's validateClient() returns true unconditionally and skips client_secret verification. Successful exploitation lets an attacker mint OAuth2 access tokens for any known client and impersonate it to read and modify data exposed through the API. A patched-image rebuild at FreePBX 17.0.8 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: CVE-2026-44237 is ingested from upstream feeds within minutes of publication and matched against FreePBX images in customer registries and CI pipelines. Coverage extends to custom-built images that bundle the affected security-reporting api module.
AvailableTriage is available with the published CVSS v4.0 score of 7.6 (High) weighted against each customer's compliance policy, so PBX-facing workloads can be escalated above baseline. Findings are routed to the right inbox inside each customer org based on image ownership and service tags.
AvailablePatched-image rebuilds at FreePBX 17.0.8 are available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, the rebuild is produced, a regression-test run is executed, and a PR is opened against affected workloads.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the FreePBX api module over the network.
- AuthenticationRequired
A low-privilege authenticated session plus knowledge of a valid client_id is required to request a token.
- Victim interactionNot required
No user has to click or approve anything; the token endpoint is called directly.
- Attack complexityDetail
AC:L indicates the exploit is reliable, though AT:P notes a passive precondition (knowing a valid client_id) outside the attacker's direct control.
Blast Radius
- Mints OAuth2 access tokens for any client whose client_id is known, without the client_secret.
- Reads data exposed through the FreePBX API under the impersonated client's scope, including call, extension, and configuration records.
- Modifies PBX configuration and records reachable through the same API scope, enabling tampering with routing, users, and integrations.
How HarborGuard Handles This
Available on HarborGuard: FreePBX 17.0.8 is tracked as the fix version, and a patched-image rebuild at that version is available for affected environments. For customers who opt into auto-remediation, the rebuild is produced, a regression-test run is executed against the image, and a PR is opened against workloads still pinned to a vulnerable FreePBX build; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy blocks automatic rollout, the rebuild is staged for manual promotion, and compensating controls such as restricting api module exposure to trusted networks and rotating known client_id values can be applied in the interim.
Metrics
- CVSS v4.0
- 7.6
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
- FreePBX / security-reporting< 17.0.8
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N