How is CVE-2026-46376 exploited?

Network reachability (required): Attacker must reach the FreePBX UCP interface over the network, typically HTTP(S) on the PBX host. Authentication (not-required): No credentials are needed because the attacker logs in using hard-coded initial template credentials. Victim interaction (not-required): Exploitation is fully automated against the UCP endpoint with no user action required. Attack complexity (info): AC:L indicates the exploit is reliable and condition-free, requiring only that the admin never rotated the initial template credentials.

What is the impact of CVE-2026-46376?

Unauthenticated login to UCP user accounts whose initial template credentials were not rotated. Reads voicemail, call history, contacts, and other UCP-exposed personal communication data (VC:H). Modifies UCP user settings, forwarding rules, and preferences, enabling call redirection or further social engineering (VI:H). Provides a foothold for pivoting into the broader FreePBX administrative surface from a logged-in user context.

Back to search

CRITICALCVE-2026-46376Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-46376: FreePBX: Unauthenticated Use of Hard-Coded Credentials Vulnerability in FreePBX UCP Interface

FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if these were not immediately changed by the Administrator who enabled UCP. Authenticated access to ACP is required for the initial setup of UCP generic templates, but after that, without further steps by the admin, unauthenticated users may be able to gain access. This vulnerability is fixed in 16.0.45 and 17.0.7.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Hard-coded credentials in FreePBX's User Control Panel (UCP) allow unauthenticated network attackers to log in using initial template credentials that ship with the product. Reachable over the network with no authentication or user interaction, successful exploitation grants attacker access to UCP user accounts and the data they expose, with high impact to confidentiality and integrity of those accounts. Note: although the CVE description states the issue is fixed in 16.0.45 and 17.0.7, no fix version is published in the record, so HarborGuard tracks the advisory for confirmed patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the advisory is ingested from upstream feeds within minutes of publication and matched against FreePBX images in customer registries and CI pipelines, including custom-built images. Affected version ranges (15.0.42 through pre-16.0.45 and 17.0.1 through pre-17.0.7) are flagged automatically.

Available

Triage

Triage is available with CVSS v4 scoring (9.3, Critical) and per-environment compliance policy weighting, so customers running internet-exposed FreePBX deployments see the finding escalated and routed to the appropriate inbox in their org. Policy weights can further elevate the finding for environments tagged as production or external-facing.

Available

Patch

HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available at 16.0.45 or 17.0.7 the moment the upstream fix metadata is confirmed. For customers who opt into auto-remediation, the rebuilt image is regression-tested and a PR is opened against affected workloads as soon as the fix is published.

Pending upstream

Exploit Conditions

Network reachabilityRequired
Attacker must reach the FreePBX UCP interface over the network, typically HTTP(S) on the PBX host.
AuthenticationNot required
No credentials are needed because the attacker logs in using hard-coded initial template credentials.
Victim interactionNot required
Exploitation is fully automated against the UCP endpoint with no user action required.
Attack complexityDetail
AC:L indicates the exploit is reliable and condition-free, requiring only that the admin never rotated the initial template credentials.

Blast Radius

Unauthenticated login to UCP user accounts whose initial template credentials were not rotated.
Reads voicemail, call history, contacts, and other UCP-exposed personal communication data (VC:H).
Modifies UCP user settings, forwarding rules, and preferences, enabling call redirection or further social engineering (VI:H).
Provides a foothold for pivoting into the broader FreePBX administrative surface from a logged-in user context.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the advisory for confirmed patch metadata, with automatic flagging of FreePBX images in the affected ranges (15.0.42 to pre-16.0.45 and 17.0.1 to pre-17.0.7). Until the fix version is published in the feed, compensating-control suggestions surface in the finding, including restricting UCP exposure with network policy or VPN, forcing a rotation of any initial template credentials set during UCP enablement, and auditing UCP user accounts for unexpected logins. For customers with auto-remediation enabled, a patched-image rebuild at 16.0.45 or 17.0.7 will be generated, regression-tested, and proposed via PR against affected workloads as soon as the upstream fix is confirmed, with a typical median time from publication to merged PR around 90 minutes for critical-severity findings.

See how HarborGuard automates this

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

FreePBX / security-reporting
>= 15.0.42, < 16.0.45 · >= 17.0.1, < 17.0.7

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m55x-h47x-v3gx