Privilege Escalation Vulnerability in FreePBX API by FreePBX
CVE-2025-55210

2LOW

Key Information:

Vendor

Freepbx

Status
Api
Vendor
CVE Published:
12 February 2026

What is CVE-2025-55210?

FreePBX, an open-source GUI for managing Asterisk, is susceptible to a privilege escalation vulnerability in its API modules prior to versions 17.0.5 and 16.0.17. The flaw allows authenticated users with access to the REST and GraphQL APIs to create forged JSON Web Tokens (JWTs) using the api-oauth.key private key. This can enable attackers, even those with lower privileges, to bypass standard authorization controls by requesting any scope they desire, as long as they know a valid JWT ID (jti) that corresponds to an existing entry in the database. This capability poses a significant risk for unauthorized access to sensitive functionalities within FreePBX.

Affected Version(s)

api >= 15.0.1alpha1, < 16.0.17 < 15.0.1alpha1, 16.0.17

api >= 17.0.0, < 17.0.5 < 17.0.0, 17.0.5

References

https://github.com/FreePBX/security-reporting/security/ad...
x_refsource_CONFIRM
https://github.com/FreePBX/api/commit/bc6f7d72063cffb18ba...
x_refsource_MISC
https://github.com/FreePBX/api/commit/c16a3a79b83382fb488...
x_refsource_MISC

CVSS V4

Score:
2
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.