Critical FreePBX Vulnerability Exposes User Portals to Attackers
Severity: High (Score: 72.6)
Sources: Cybersecuritynews, Gbhackers
Published: · Updated:
Keywords: user, freepbx, attackers, access, portals, vulnerability, allow
Severity indicators: vulnerability
Summary
A critical vulnerability in FreePBX, tracked as CVE-2026-46376, allows unauthenticated attackers to access user portals via the User Control Panel (UCP). This flaw arises from hard-coded credentials in the userman module and affects FreePBX versions prior to 16.0.45 and 17.0.7. Systems running outdated versions are particularly at risk. The vulnerability has a CVSS v4 base score of 9.1, indicating its severity. Administrators are urged to update their systems to mitigate the risk. The issue was disclosed on May 20, 2026, with no reports of active exploitation at this time. Key Points: • CVE-2026-46376 allows unauthenticated access to FreePBX user portals. • The vulnerability affects FreePBX versions before 16.0.45 and 17.0.7. • Administrators are advised to upgrade systems to prevent potential exploitation.
Detailed Analysis
**Impact** FreePBX installations running versions prior to 16.0.45 and 17.0.7 are vulnerable, potentially exposing user portals to unauthenticated attackers. This affects organizations using the open-source IP PBX platform globally, including sectors relying on telephony infrastructure for communications. Unauthorized access to User Control Panels (UCP) could lead to operational disruptions and compromise of sensitive user data. **Technical Details** The vulnerability, tracked as CVE-2026-46376, resides in the “userman” module due to hard-coded credentials allowing unauthenticated access to the UCP interface. The flaw carries a CVSS v4 base score of 9.1, indicating critical severity. Attackers exploit this by bypassing authentication controls, impacting the kill chain at the initial access stage. No specific malware, tools, or IOCs were detailed in the available sources. **Recommended Response** Administrators should immediately update FreePBX to versions 16.0.45 or 17.0.7 or later to remediate the vulnerability. Monitoring for unusual access patterns to the User Control Panel and restricting network access to the UCP interface can reduce exposure. In the absence of detailed IOCs, defenders should focus on patch management and network segmentation to limit attacker access.
Source articles (2)
- FreePBX Vulnerability Allow Attackers to Gain Access to User Portals — Cybersecuritynews · 2026-05-20
A critical vulnerability in the open-source IP PBX platform FreePBX could allow unauthenticated attackers to access user portals. The issue, tracked as CVE-2026-46376, affects the User Control Panel (… - FreePBX Security Flaw Lets Attackers Access User Portals — Gbhackers · 2026-05-20
A critical security vulnerability has been discovered in FreePBX, a widely used open-source PBX platform, allowing unauthenticated attackers to access user portals under certain conditions. The flaw,…
Timeline
- 2026-05-20 — CVE-2026-46376 disclosed: A critical vulnerability in FreePBX was identified, allowing unauthorized access to user portals.
- 2026-05-20 — CVE-2026-46376 reported by multiple sources: The flaw was reported across various cybersecurity platforms, highlighting its critical nature and impact.
CVEs
Related entities
- Data Breach (Attack Type)
- CWE-287 - Improper Authentication (Cwe)
- CWE-798 - Use of Hard-coded Credentials (Cwe)
- T1190 - Exploit Public-Facing Application (Mitre Attack)
- FreePBX (Platform)