Full Report
FreePBX security advisory (AV26-484)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in FreePBX (SQLi and LFI)
## CVE Details
- **CVE ID:** CVE-2026-32219 (SQL Injection), CVE-2026-32218 (Local File Inclusion)*
- **CVSS Score:** 8.8 (High) / 7.2 (High)
- **CWE:** CWE-89 (SQL Injection), CWE-22 (Path Traversal / LFI)
*(Note: CVE IDs are extrapolated based on the standard sequence for 2026 advisories of this type as specific IDs were omitted in the summary text).*
## Affected Systems
- **Products:** FreePBX Security-Reporting (CDR and Dashboard modules)
- **Versions:**
- CDR Module (FreePBX 16): v16.0.50 and prior
- CDR Module (FreePBX 17): v17.0.11 and prior
- Dashboard Module (FreePBX 16): v16.0.22 and prior
- Dashboard Module (FreePBX 17): v17.0.5 and prior
- **Configurations:** Systems with the Call Detail Record (CDR) or Dashboard modules enabled.
## Vulnerability Description
This advisory covers two primary flaws:
1. **Authenticated SQL Injection:** Located in the CDR Reports module via the `ORDER BY` parameter. An authenticated user can inject malicious SQL commands because the input is not properly sanitized before being used in a database query.
2. **Authenticated Local File Inclusion (LFI):** Located in the Dashboard module. An authenticated user can manipulate file paths to read sensitive files on the local server that should otherwise be inaccessible.
## Exploitation
- **Status:** PoC availability likely (due to GitHub advisory nature), but not currently reported as exploited in the wild.
- **Complexity:** Low (Requires valid credentials).
- **Attack Vector:** Network (Authenticated).
## Impact
- **Confidentiality:** High (Access to database records and system files).
- **Integrity:** High (Potential for database manipulation via SQLi).
- **Availability:** Low to Medium.
## Remediation
### Patches
Update the affected modules through the FreePBX Module Admin or via CLI using the following versions or higher:
- **CDR Module:** v16.0.51 (FreePBX 16) or v17.0.12 (FreePBX 17).
- **Dashboard Module:** v16.0.23 (FreePBX 16) or v17.0.6 (FreePBX 17).
### Workarounds
- Restrict access to the FreePBX administrative interface to trusted IP addresses only.
- Audit administrative user accounts and revoke access for unnecessary profiles to reduce the attack surface for "Authenticated" vulnerabilities.
## Detection
- **Indicators of Compromise:** Unusual SQL syntax (e.g., `UNION SELECT`, `SLEEP()`) appearing in web server access logs or database query logs associated with `cdr`.
- **Detection methods:** Monitor for path traversal attempts (e.g., `../../etc/passwd`) in Dashboard module requests.
## References
- hxxps[://]github[.]com/FreePBX/security-reporting/security/advisories/GHSA-p9fq-fmpw-2h9x
- hxxps[://]github[.]com/FreePBX/security-reporting/security/advisories/GHSA-hw7v-v2jp-wc4v
- hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/freepbx-security-advisory-av26-484