CVE-2026-46376

CRITICAL

FreePBX UCP - Hardcoded Template Credentials

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-46376. PoCs published by portbuster1337.

AI-analyzed exploit summary The repository contains a functional Python exploit for CVE-2026-46376, which leverages hard-coded credentials in FreePBX's userman module to achieve unauthenticated access to the User Control Panel (UCP). The PoC includes multiple exploitation methods, including credential-based login, unlock key bypass, and default admin credential testing.

Description

FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if these were not immediately changed by the Administrator who enabled UCP. Authenticated access to ACP is required for the initial setup of UCP generic templates, but after that, without further steps by the admin, unauthenticated users may be able to gain access. This vulnerability is fixed in 16.0.45 and 17.0.7.

Exploits (1)

nomisec WORKING POC

by portbuster1337 · poc

https://github.com/portbuster1337/CVE-2026-46376

View Code ZIP pw:eip

The repository contains a functional Python exploit for CVE-2026-46376, which leverages hard-coded credentials in FreePBX's userman module to achieve unauthenticated access to the User Control Panel (UCP). The PoC includes multiple exploitation methods, including credential-based login, unlock key bypass, and default admin credential testing.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: FreePBX (15.0.42+, userman <= 16.0.44, userman <= 17.0.6)

No auth needed

Prerequisites: UCP generic template setup must have been performed by an administrator

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 30, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m55x-h47x-v3gx

Scores

CVSS v3 9.8

EPSS 0.0008

EPSS Percentile 24.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-798

Status published

Products (3)

FreePBX/security-reporting >= 15.0.42, < 16.0.45

FreePBX/security-reporting >= 17.0.1, < 17.0.7

sangoma/freepbx < 16.0.45

Published May 29, 2026

Tracked Since May 29, 2026