CVE-2026-40520

HIGH

FreePBX api module Command Injection via GraphQL

Title source: cna

Description

FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL moduleOperations mutation with backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.

References (4)

[Patch] https://github.com/FreePBX/api/commit/5f194e39a47e5481e8947f9694304d32724175f6

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/freepbx-api-module-command-injection-via-graphql

Scores

CVSS v3 7.2

EPSS 0.0026

EPSS Percentile 49.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (3)

FreePBX/api < 17.0.8

freepbx/api < 17.0.8

FreePBX/api 5f194e39a47e5481e8947f9694304d32724175f6

Published Apr 21, 2026

Tracked Since Apr 21, 2026