How is CVE-2026-44239 exploited?

Network reachability (required): The attacker must reach the FreePBX admin web interface over the network. Authentication (required): A low-privilege FreePBX account with access to the Dashboard module's AJAX endpoint is sufficient. Victim interaction (not-required): The handler is invoked directly by the attacker and needs no action from another user. Attack complexity (info): AC:L indicates a reliable exploit, though AT:P notes a present attack requirement tied to the targeted file layout.

What is the impact of CVE-2026-44239?

Reads arbitrary .class.php files from the filesystem, exposing FreePBX configuration, database credentials, and module internals. Executes the PHP contents of any included file under the web server account before the class instantiation error fires, enabling code paths the attacker would not normally reach. Pivots from a low-privilege FreePBX login toward full admin compromise of the PBX, including call routing and SIP trunk credentials.

Back to search

HIGHCVE-2026-44239Published 2026-05-29Modified 2026-05-30CNA GitHub_M

CVE-2026-44239: FreePBX: Authenticated Local File Inclusion in Dashboard Module

FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem. The included file's PHP code executes before the subsequent class instantiation error occurs. This vulnerability is fixed in 16.0.22 and 17.0.5.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Authenticated local file inclusion in the FreePBX Dashboard module. The getcontent AJAX handler concatenates the user-supplied rawname parameter into a PHP include() call with a .class.php suffix, letting an attacker with a low-privilege FreePBX account traverse the filesystem with ../ sequences and execute the PHP contents of any .class.php file before the class instantiation error halts execution. Successful exploitation reads sensitive configuration and executes attacker-influenced PHP, exposing the FreePBX admin interface and its credentials. A patched-image rebuild at 16.0.22 or 17.0.5 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against FreePBX images in customer registries and pipelines, including custom-built images that vendor the Dashboard module.

Available

Triage

Triage is available with the CVSS v4.0 score of 7.6 (High) carried through and weighted against each customer's compliance policy, so VoIP and telephony workloads can be escalated above the default high-severity threshold. Findings route to the configured inbox inside each customer org for owner assignment.

Available

Patch

Patched-image rebuilds at 16.0.22 (for the 16.x line) and 17.0.5 (for the 17.x line) are available on HarborGuard for environments running an affected version. Customers who opt into auto-remediation get the rebuilt image, a regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the FreePBX admin web interface over the network.
AuthenticationRequired
A low-privilege FreePBX account with access to the Dashboard module's AJAX endpoint is sufficient.
Victim interactionNot required
The handler is invoked directly by the attacker and needs no action from another user.
Attack complexityDetail
AC:L indicates a reliable exploit, though AT:P notes a present attack requirement tied to the targeted file layout.

Blast Radius

Reads arbitrary .class.php files from the filesystem, exposing FreePBX configuration, database credentials, and module internals.
Executes the PHP contents of any included file under the web server account before the class instantiation error fires, enabling code paths the attacker would not normally reach.
Pivots from a low-privilege FreePBX login toward full admin compromise of the PBX, including call routing and SIP trunk credentials.

How HarborGuard Handles This

Available on HarborGuard: patched-image rebuilds pinned to FreePBX 16.0.22 or 17.0.5 are published as soon as the fix versions are ingested, and environments with auto-remediation enabled receive a rebuild, regression-test run, and PR opened against affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments that cannot upgrade immediately, compensating controls include restricting Dashboard module access to trusted admin networks, tightening FreePBX account provisioning so low-privilege users cannot reach the getcontent endpoint, and adding a WAF rule that blocks ../ sequences in the rawname parameter.

See how HarborGuard automates this

CVSS v4.0: 7.6
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

FreePBX / security-reporting
< 16.0.22 · >= 17.0.1, < 17.0.5

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-hw7v-v2jp-wc4v