VYPR
← All advisories
High severityNVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-44237

CVE-2026-44237

Description

FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client_id to obtain OAuth2 access tokens without providing the correct client_secret. This vulnerability is fixed in 17.0.8.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FreePBX api module OAuth2 client_secret validation is bypassed, allowing token theft with only a known client_id.

Vulnerability

The FreePBX api module prior to version 17.0.8 contains an OAuth2 implementation flaw in the ClientRepository.php file. The validateClient() method unconditionally returns true, so any party with knowledge of a valid client_id can obtain OAuth2 access tokens without providing the matching client_secret. The API module must be installed and at least one OAuth2 application configured. By default, the client_id is a random 64-character string that is not brute-forceable [1].

Exploitation

An attacker must first obtain a valid client_id, which requires either authenticated access to the FreePBX Administrator Control Panel (ACP) or access to a backup of the system. With that client_id, the attacker can directly request tokens via the client_credentials grant, bypassing the client_secret check entirely. No additional network position or user interaction is required beyond having that client_id [1].

Impact

Successfully obtaining an access token with the default gql scope grants the attacker full read/write access to all GraphQL mutations and queries. This leads to complete compromise of the FreePBX system's data and configuration, i.e., high confidentiality and integrity impact [1].

Mitigation

Update the api module to FreePBX 17.0.8 or later, released 2026-05-29. Additionally, restrict access to the FreePBX ACP to authorized users only (e.g., using User Management, SysAdmin VPN, MFA, or SAML modules), block hostile networks via the FreePBX Firewall module, and secure backups [1].

References
  1. Authenticated Access can lead to Subsequent OAuth2 Authentication Bypass in API Module

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The validateClient() method in ClientRepository.php unconditionally returns true, bypassing client_secret verification during OAuth2 token issuance."

Attack vector

An attacker must first obtain a valid `client_id` — by default a randomized 64-character string that is not brute-forceable — through an authenticated Administrator Control Panel session or access to a backup [ref_id=1]. The API module must be installed with at least one OAuth2 application configured. With that `client_id`, the attacker can request OAuth2 access tokens via the `client_credentials` grant without providing the correct `client_secret`, because `validateClient()` unconditionally returns `true` [ref_id=1]. The resulting token, with the default `gql` scope, grants full read/write access to all GraphQL mutations and queries [ref_id=1].

Affected code

The vulnerability resides in `ClientRepository.php` in the FreePBX api module. The `validateClient()` method unconditionally returns `true`, bypassing client_secret verification during OAuth2 token issuance [ref_id=1]. This flaw was introduced in 2023 as part of the PHP version upgrade for FreePBX v17 [ref_id=1].

What the fix does

The advisory directs users to update the api module to the latest version, which fixes the unconditional return in `validateClient()` [ref_id=1]. The patch is not shown in the bundle, but the fix presumably adds proper client_secret validation so that `validateClient()` no longer returns `true` for every request. The advisory also recommends mitigating steps such as restricting access to the Administrator Control Panel via user management, VPN, MFA, SAML, or the FreePBX Firewall module [ref_id=1].

Preconditions

  • inputKnowledge of a valid client_id (randomized 64-character string, not brute-forceable)
  • configAPI module must be installed with at least one OAuth2 application configured
  • authAttacker must have obtained client_id through an authenticated ACP session or backup access

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.