OAuth2 Implementation Flaw in FreePBX Affects Credential Validation
CVE-2026-44237

7.6HIGH

Key Information:

Vendor: Freepbx
Status: Security-reporting
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-44237?

The FreePBX API module has a significant vulnerability due to insufficient validation of client credentials during OAuth2 token issuance. Under versions before 17.0.8, the validateClient() method in ClientRepository.php fails to adequately check the client_secret. This oversight allows attackers who possess a valid client_id to obtain OAuth2 access tokens without the necessary client_secret, potentially enabling unauthorized access to system functions and sensitive data. This vulnerability is mitigated in version 17.0.8.

Affected Version(s)

security-reporting < 17.0.8

References

https://github.com/FreePBX/security-reporting/security/ad...

x_refsource_CONFIRM

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44237 Data

JSON

Freepbx

What is CVE-2026-44237?

Affected Version(s)

References

CVSS V4

Timeline