How is CVE-2026-44238 exploited?

Network reachability (required): The attacker must reach the FreePBX Administration Control Panel over the network (AV:N). Authentication (required): A valid FreePBX admin-panel account with CDR section access is required (PR:H), though full administrator privileges are not needed. Victim interaction (not-required): No user interaction is needed; the attacker sends the crafted POST request directly (UI:N). Attack complexity (info): Attack complexity is low (AC:L): the injection through `order` and `sort` parameters is reliable and has no environmental preconditions.

What is the impact of CVE-2026-44238?

Reads arbitrary rows from the FreePBX database, including call detail records, extension configuration, and stored credentials or secrets held in PBX tables. Modifies persisted database rows, allowing tampering with call records, user accounts, dialplan settings, or other PBX configuration. Does not directly impact availability of the PBX service (VA:N), and scope does not extend beyond the FreePBX database itself.

Back to search

HIGHCVE-2026-44238Published 2026-05-29Modified 2026-05-30CNA GitHub_M

CVE-2026-44238: FreePBX: Authenticated SQL Injection via ORDER BY in CDR Reports

FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authenticated SQL injection in FreePBX's CDR Reports module, triggered through the `order` and `sort` POST parameters used in ORDER BY clauses. The flaw is reachable over the network and requires a logged-in Administration Control Panel account with CDR section access (full admin is not needed). Successful exploitation lets the attacker read and modify arbitrary data in the FreePBX database, including call detail records and configuration tables. A patched-image rebuild at 16.0.50 or 17.0.11 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the advisory is ingested from upstream feeds within minutes of publication and matched against FreePBX images in customer registries and CI pipelines. Coverage extends to custom-built images that bundle FreePBX, not just upstream tags.

Available

Triage

Triage is available with the published CVSS v4.0 score of 8.5 (HIGH), then reweighted against each customer's compliance policy so that environments treating authenticated admin-panel SQLi as critical see it escalated accordingly. Findings route to the correct inbox inside each customer org based on image ownership and workload tagging.

Available

Patch

A patched-image rebuild at FreePBX 16.0.50 (for the 16.x line) or 17.0.11 (for the 17.x line) becomes available on HarborGuard for affected environments. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the fix version, runs the configured regression suite, and opens a PR against the affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the FreePBX Administration Control Panel over the network (AV:N).
AuthenticationRequired
A valid FreePBX admin-panel account with CDR section access is required (PR:H), though full administrator privileges are not needed.
Victim interactionNot required
No user interaction is needed; the attacker sends the crafted POST request directly (UI:N).
Attack complexityDetail
Attack complexity is low (AC:L): the injection through `order` and `sort` parameters is reliable and has no environmental preconditions.

Blast Radius

Reads arbitrary rows from the FreePBX database, including call detail records, extension configuration, and stored credentials or secrets held in PBX tables.
Modifies persisted database rows, allowing tampering with call records, user accounts, dialplan settings, or other PBX configuration.
Does not directly impact availability of the PBX service (VA:N), and scope does not extend beyond the FreePBX database itself.

How HarborGuard Handles This

Available on HarborGuard: a rebuilt FreePBX image at 16.0.50 or 17.0.11 is published as soon as the advisory is ingested, and for environments with auto-remediation enabled the platform rebuilds the image at the fix version, runs the configured regression suite, and opens a PR against affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in auto-remediation environments. Where compliance policy blocks auto-remediation, the finding is routed for manual review with the fix version and upgrade path pre-populated, and operators should in the meantime restrict CDR module access to trusted accounts and place the Administration Control Panel behind network-level isolation.

See how HarborGuard automates this

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

FreePBX / security-reporting
< 16.0.50 · >= 17.0.1, < 17.0.11

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p9fq-fmpw-2h9x