High severity7.2NVD Advisory· Published Apr 21, 2026· Updated Apr 23, 2026
CVE-2026-40520
CVE-2026-40520
Description
FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL moduleOperations mutation with backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.
Affected products
1Patches
15f194e39a47eFREEI-2805 fix:sanitize shell arguments in GraphQL moduleOperations
3 files changed · +12 −5
Api.class.php+6 −1 modified@@ -545,7 +545,12 @@ public function setGqlApiHelper() { // run as background job public function initiateGqlAPIProcess($args) { $bin = $this->freepbx->Config()->get('AMPSBIN'); - shell_exec($bin . '/fwconsole api gql ' . $args[0] . ' ' . $args[1] . ' ' . $args[2] . ' ' . $args[3] . ' >/dev/null 2>/dev/null &'); + $fwconsole = escapeshellarg($bin . '/fwconsole'); + $a0 = escapeshellarg((string) ($args[0] ?? '')); + $a1 = escapeshellarg((string) ($args[1] ?? '')); + $a2 = escapeshellarg((string) ($args[2] ?? '')); + $a3 = escapeshellarg((string) ($args[3] ?? '')); + shell_exec($fwconsole . ' api gql ' . $a0 . ' ' . $a1 . ' ' . $a2 . ' ' . $a3 . ' >/dev/null 2>/dev/null &'); } /**
ApiGqlHelper.class.php+4 −3 modified@@ -27,15 +27,16 @@ public function execGqlApi($args) { $txnId = $args[3]; $bin = $this->freepbx->Config()->get('AMPSBIN'); + $fwconsole = escapeshellarg($bin . '/fwconsole'); if($module == 'upgradeall'){ $action = $module; $txnId = $args[2]; - shell_exec($bin.'/fwconsole ma '.$action); + shell_exec($fwconsole . ' ma ' . escapeshellarg($action)); } else { - shell_exec($bin . '/fwconsole ma ' . $action . ' ' . $module . ' --' . $track); + shell_exec($fwconsole . ' ma ' . escapeshellarg($action) . ' ' . escapeshellarg($module) . ' --' . escapeshellarg((string) $track)); } - $result = shell_exec($bin."/fwconsole ma list|grep ".$module ."|awk '{print $5 $6}'"); + $result = shell_exec($fwconsole . ' ma list|grep ' . escapeshellarg($module) . "|awk '{print $5 $6}'"); $reason = ''; $enabled = ['enable', 'install', 'upgrade'];
module.xml+2 −1 modified@@ -11,6 +11,7 @@ <api>API</api> </menuitems> <changelog> + *17.0.6* FREEI-2805 fix:sanitize shell arguments in GraphQL moduleOperations *17.0.5* FREEI-2379 v16 graphql scope validation for the token is added *17.0.3* Packaging of ver 17.0.3 *17.0.2* FREEI-2045 Fixing issue of replacing hardcoded fixed encryption key with dynamically generated key. @@ -88,4 +89,4 @@ <class>Api</class> </command> </console> -</module> \ No newline at end of file +</module>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/FreePBX/api/commit/5f194e39a47e5481e8947f9694304d32724175f6nvdPatch
- www.vulncheck.com/advisories/freepbx-api-module-command-injection-via-graphqlnvdThird Party Advisory
- github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/Api.class.phpnvdProduct
- github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/ApiGqlHelper.class.phpnvdProduct
News mentions
0No linked articles in our index yet.