Command Injection Risk in FreePBX API Module Affects Multiple Users
CVE-2026-40520

8.6HIGH

Key Information:

Vendor: Freepbx
Status: Api
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40520?

A command injection vulnerability exists in the FreePBX API module, specifically in the initiateGqlAPIProcess() function. The issue arises from the handling of GraphQL mutation input fields passed directly to shell_exec() without proper sanitization or escaping. This allows an authenticated attacker, equipped with a valid bearer token, to manipulate GraphQL moduleOperations mutations. By wrapping commands in backticks within the module field, an attacker can execute arbitrary commands on the host system using the web server user's privileges. Users are advised to apply the latest patches to mitigate this risk.

Affected Version(s)

api 0 <= 17.0.8

api 5f194e39a47e5481e8947f9694304d32724175f6

References

https://github.com/FreePBX/api/commit/5f194e39a47e5481e89...

patch

https://github.com/FreePBX/api/blob/5f194e39a47e5481e8947...

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 13, 2026

Credit

M. Cory Billington of theyhack.me

CVE-2026-40520 Data

JSON

Freepbx

What is CVE-2026-40520?

Affected Version(s)

References

CVSS V4

Timeline

Credit