Medium severityOSV Advisory· Published Sep 5, 2025· Updated Apr 15, 2026

CVE-2025-55739

Description

api is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions lower than 15.0.13, 16.0.2 through 16.0.14, 17.0.1 and 17.0.2, there is an identical OAuth private key used across multiple systems that installed the same FreePBX RPM or DEB package. An attacker with access to the shared OAuth private key could forge JWT tokens, bypass authentication, and potentially gain full access to both REST and GraphQL APIs. Systems with the "api" module enabled, configured and previously activated by an administrator for remote inbound connections may be affected. This issue is fixed in versions 15.0.13, 16.0.15 and 17.0.3.

Affected products

Freepbx/APIOSV
Range: release/15.0.10, release/15.0.11, release/15.0.12, …

Patches

e152674dbc42

[Module Tag script: api 15.0.13]

https://github.com/FreePBX/apikapil guptaSep 4, 2025via osv

commit

4 files changed · +17 −16

i18n/api.pot+8 −8 modified

@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-09-01 09:06+0000\n"
+"POT-Creation-Date: 2025-09-04 13:28+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -75,8 +75,8 @@ msgstr ""
 msgid "Admin Ports"
 msgstr ""
 
-#: Api.class.php:296
-#: Api.class.php:311
+#: Api.class.php:298
+#: Api.class.php:313
 #, php-format
 msgid "All %s for %s"
 msgstr ""
@@ -310,13 +310,13 @@ msgstr ""
 msgid "Protocol Disabled"
 msgstr ""
 
-#: Api.class.php:286
+#: Api.class.php:288
 #, php-format
 msgid "Read/Write for %s"
 msgstr ""
 
-#: Api.class.php:265
-#: Api.class.php:272
+#: Api.class.php:267
+#: Api.class.php:274
 #, php-format
 msgid "Read/Write for all modules [%s]"
 msgstr ""
@@ -394,11 +394,11 @@ msgid ""
 "to control your PBX systems."
 msgstr ""
 
-#: Api.class.php:133
+#: Api.class.php:135
 msgid "The API private Key Regeneration Notification."
 msgstr ""
 
-#: Api.class.php:133
+#: Api.class.php:135
 msgid ""
 "The API private key has been regenerated due to a detected security risk "
 "involving encryption keys. Please ensure your API integration operates as "

i18n/es_ES/LC_MESSAGES/api.mo+0 −0 modified

i18n/es_ES/LC_MESSAGES/api.po+6 −6 modified

@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-09-01 09:06+0000\n"
+"POT-Creation-Date: 2025-09-04 13:28+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -66,7 +66,7 @@ msgstr ""
 msgid "Admin Ports"
 msgstr ""
 
-#: Api.class.php:296 Api.class.php:311
+#: Api.class.php:298 Api.class.php:313
 #, php-format
 msgid "All %s for %s"
 msgstr ""
@@ -273,12 +273,12 @@ msgstr ""
 msgid "Protocol Disabled"
 msgstr ""
 
-#: Api.class.php:286
+#: Api.class.php:288
 #, php-format
 msgid "Read/Write for %s"
 msgstr ""
 
-#: Api.class.php:265 Api.class.php:272
+#: Api.class.php:267 Api.class.php:274
 #, php-format
 msgid "Read/Write for all modules [%s]"
 msgstr ""
@@ -354,11 +354,11 @@ msgid ""
 "to control your PBX systems."
 msgstr ""
 
-#: Api.class.php:133
+#: Api.class.php:135
 msgid "The API private Key Regeneration Notification."
 msgstr ""
 
-#: Api.class.php:133
+#: Api.class.php:135
 msgid ""
 "The API private key has been regenerated due to a detected security risk "
 "involving encryption keys. Please ensure your API integration operates as "

module.xml+3 −2 modified

@@ -2,7 +2,7 @@
 	<rawname>api</rawname>
 	<repo>standard</repo>
 	<name>PBX API</name>
-	<version>15.0.12</version>
+	<version>15.0.13</version>
 	<publisher>Sangoma Technologies Corporation</publisher>
 	<license>AGPLv3+</license>
 	<licenselink>http://www.gnu.org/licenses/gpl-3.0.txt</licenselink>
@@ -11,6 +11,7 @@
 		<api>API</api>
 	</menuitems>
 	<changelog>
+		*15.0.13* Packaging of ver 15.0.13
 		*15.0.12* FREEI-2045 Fixing issue of replacing hardcoded fixed encryption key with dynamically generated key. 
 		*15.0.11* FREEI-65 sanitizing the host parameter 
 		*15.0.10* FREEI-65 
@@ -113,4 +114,4 @@
 	<supported>
 		<version>15.0</version>
 	</supported>
-</module>
+</module>
\ No newline at end of file

4e1318b197da

[Module Tag script: api 17.0.3]

https://github.com/FreePBX/apikapil guptaSep 4, 2025via osv

commit

3 files changed · +17 −16

i18n/api.pot+8 −8 modified

@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-09-01 04:57-0400\n"
+"POT-Creation-Date: 2025-09-04 09:22-0400\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -75,8 +75,8 @@ msgstr ""
 msgid "Admin Ports"
 msgstr ""
 
-#: Api.class.php:300
-#: Api.class.php:315
+#: Api.class.php:301
+#: Api.class.php:316
 #, php-format
 msgid "All %s for %s"
 msgstr ""
@@ -309,13 +309,13 @@ msgstr ""
 msgid "Protocol Disabled"
 msgstr ""
 
-#: Api.class.php:290
+#: Api.class.php:291
 #, php-format
 msgid "Read/Write for %s"
 msgstr ""
 
-#: Api.class.php:269
-#: Api.class.php:276
+#: Api.class.php:270
+#: Api.class.php:277
 #, php-format
 msgid "Read/Write for all modules [%s]"
 msgstr ""
@@ -386,7 +386,7 @@ msgid ""
 "Google account"
 msgstr ""
 
-#: Api.class.php:135
+#: Api.class.php:136
 msgid "The API Key Regeneration Notification."
 msgstr ""
 
@@ -397,7 +397,7 @@ msgid ""
 "to control your PBX systems."
 msgstr ""
 
-#: Api.class.php:135
+#: Api.class.php:136
 msgid ""
 "The API private key has been regenerated due to a detected security risk "
 "involving encryption keys. Please ensure your API integration operates as "

i18n/es_ES/LC_MESSAGES/api.po+6 −6 modified

@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-09-01 04:57-0400\n"
+"POT-Creation-Date: 2025-09-04 09:22-0400\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -66,7 +66,7 @@ msgstr ""
 msgid "Admin Ports"
 msgstr ""
 
-#: Api.class.php:300 Api.class.php:315
+#: Api.class.php:301 Api.class.php:316
 #, php-format
 msgid "All %s for %s"
 msgstr ""
@@ -273,12 +273,12 @@ msgstr ""
 msgid "Protocol Disabled"
 msgstr ""
 
-#: Api.class.php:290
+#: Api.class.php:291
 #, php-format
 msgid "Read/Write for %s"
 msgstr ""
 
-#: Api.class.php:269 Api.class.php:276
+#: Api.class.php:270 Api.class.php:277
 #, php-format
 msgid "Read/Write for all modules [%s]"
 msgstr ""
@@ -347,7 +347,7 @@ msgid ""
 "Google account"
 msgstr ""
 
-#: Api.class.php:135
+#: Api.class.php:136
 msgid "The API Key Regeneration Notification."
 msgstr ""
 
@@ -358,7 +358,7 @@ msgid ""
 "to control your PBX systems."
 msgstr ""
 
-#: Api.class.php:135
+#: Api.class.php:136
 msgid ""
 "The API private key has been regenerated due to a detected security risk "
 "involving encryption keys. Please ensure your API integration operates as "

module.xml+3 −2 modified

@@ -2,7 +2,7 @@
 	<rawname>api</rawname>
 	<repo>standard</repo>
 	<name>PBX API</name>
-	<version>17.0.2</version>
+	<version>17.0.3</version>
 	<publisher>Sangoma Technologies Corporation</publisher>
 	<license>AGPLv3+</license>
 	<licenselink>http://www.gnu.org/licenses/gpl-3.0.txt</licenselink>
@@ -11,6 +11,7 @@
 		<api>API</api>
 	</menuitems>
 	<changelog>
+		*17.0.3* Packaging of ver 17.0.3
 		*17.0.2* FREEI-2045 Fixing issue of replacing hardcoded fixed encryption key with dynamically generated key. 
 		*17.0.1alpha* 17.0.1 alpha release
 	</changelog>
@@ -86,4 +87,4 @@
 			<class>Api</class>
 		</command>
     </console>
-</module>
+</module>
\ No newline at end of file

7e5a91cfdc04

[Module Tag script: api 16.0.15]

https://github.com/FreePBX/apikapil guptaSep 4, 2025via osv

commit

1 file changed · +1 −1

i18n/api.pot+1 −1 modified

@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-09-04 12:28+0000\n"
+"POT-Creation-Date: 2025-09-04 12:38+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

305295aad383

key permssion to 0600

https://github.com/FreePBX/apiPhilip JosephSep 4, 2025via osv

commit

1 file changed · +2 −0

Api.class.php+2 −0 modified

@@ -129,6 +129,8 @@ public function install() {
 		$this->freepbx->PKCS->generateKey($this->oauthKey);
 		$this->freepbx->PKCS->extractPublicKey($this->oauthKey);
 		if(isset($keyfile) && file_exists($keyfile)) {
+			chmod($keyfile, 0600);
+			chmod($pubkeyfile, 0600);
 			$noKeyUpdateNotify = $this->getConfig('no-key-update-notifiy');
 			if (!$noKeyUpdateNotify) {
 				$nt = \notifications::create();

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000