Critical severityNVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-46376

Description

FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if these were not immediately changed by the Administrator who enabled UCP. Authenticated access to ACP is required for the initial setup of UCP generic templates, but after that, without further steps by the admin, unauthenticated users may be able to gain access. This vulnerability is fixed in 16.0.45 and 17.0.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FreePBX User Control Panel (UCP) uses hard-coded credentials in generic templates, enabling unauthenticated access if administrators do not change them after setup.

Vulnerability

FreePBX versions from 15.0.42 up to (but not including) 16.0.45 and 17.0.7 contain hard-coded sample credentials in the User Control Panel (UCP) generic template setup process [1]. This optional process, when run by an administrator with authenticated access to the Admin Control Panel (ACP), creates UCP accounts with known credentials. If the administrator does not immediately change these credentials, the accounts remain accessible to anyone.

Exploitation

An unauthenticated attacker with network access to the UCP login page can exploit this vulnerability by simply using the hard-coded credentials (which are publicly known from the template) to log in [1]. No authentication, user interaction, or special privileges are required. The attacker only needs to know the default credentials that were set during the template setup.

Impact

Successful exploitation grants the attacker unauthenticated access to the UCP with the privileges of the template user. This can lead to high confidentiality and integrity impact, as the attacker may view or modify user data, call logs, and other sensitive information [1]. The CVSS 4.0 base score is 9.1 (Critical), reflecting the potential for complete compromise of UCP data.

Mitigation

The vulnerability is fixed in FreePBX versions 16.0.45 and 17.0.7 [1]. Administrators should update the userman module to the latest version, which randomizes the password for new template accounts. As a workaround, ensure that only authorized users have access to the ACP and UCP, for example by using the FreePBX Firewall module to restrict network access [1]. If the template setup has been run, manually change the credentials of any accounts created by it.

References

Unauthenticated Use of Hard-Coded Credentials Vulnerability in FreePBX UCP Interface

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Freepbx/Security Reportinginferred
Range: <17.0.7
Freepbx/User Control Panelllm-create
Range: <16.0.45,<17.0.7
Freepbx/Freepbxllm-fuzzy
Range: <16.0.45,<17.0.7

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

github.com/FreePBX/security-reporting/security/advisories/GHSA-m55x-h47x-v3gxnvd

News mentions

⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
The Hacker News · May 25, 2026

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000