CVE-2026-26978

Vulnerability

Overview

CVE-2026-26978 is a high-severity vulnerability in the FreePBX backup module affecting versions below 16.0.71 and 17.0.6. During backup restore operations, the module extracts files from a user-supplied tar archive and passes the content of a manifest file directly to PHP's unserialize() without validation, class restrictions, or integrity checks [1]. This insecure deserialization allows an attacker to inject arbitrary PHP objects that can execute code upon deserialization.

Exploitation

Prerequisites and Attack Surface

Exploitation requires authentication with a known username that has sufficient access permissions to the FreePBX Administrator Control Panel and write access to backup files [1]. The attack does not require shell access, CLI access, or filesystem write permissions beyond the normal restore workflow. An attacker can craft a malicious tar archive containing a specially crafted manifest file that, when processed by the vulnerable getMetadata() function, triggers remote code execution [2][3]. The vulnerability is network-accessible (CVSS:4.0/AV:N) with low attack complexity and no user interaction required [1].

Impact

Successful exploitation allows an attacker to achieve remote code execution as the web server user (typically asterisk or www-data) [1]. This can lead to full compromise of the FreePBX system, including access to call records, voicemail, configuration files, and the ability to pivot to other systems on the network. The CVSS 4.0 base score is 8.6 (High) with high impacts on confidentiality and integrity [1].

Mitigation

Status

The vulnerability has been fixed in FreePBX versions 16.0.71 and 17.0.6. The fix replaces the unsafe unserialize() call with json_decode() and, as a fallback, uses unserialize() with the ['allowed_classes' => false] option to prevent object instantiation [2][3]. Administrators should update immediately and restrict access to the backup and restore modules to trusted users only [1].