Vulnerability Details CVE-2026-40520
FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL moduleOperations mutation with backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 49.5%
CVSS Severity
CVSS v3 Score 7.2
References
- https://github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/Api.class.php#L546C1-L554C3
- https://github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/ApiGqlHelper.class.php#L34C1-L36C136
- https://github.com/FreePBX/api/commit/5f194e39a47e5481e8947f9694304d32724175f6
- https://www.vulncheck.com/advisories/freepbx-api-module-command-injection-via-graphql
Products affected by CVE-2026-40520
-
cpe:2.3:a:freepbx:api:15.0.1
-
cpe:2.3:a:freepbx:api:15.0.10
-
cpe:2.3:a:freepbx:api:15.0.11
-
cpe:2.3:a:freepbx:api:15.0.12
-
cpe:2.3:a:freepbx:api:15.0.13
-
cpe:2.3:a:freepbx:api:15.0.2
-
cpe:2.3:a:freepbx:api:15.0.2.1
-
cpe:2.3:a:freepbx:api:15.0.3
-
cpe:2.3:a:freepbx:api:15.0.3.1
-
cpe:2.3:a:freepbx:api:15.0.3.10
-
cpe:2.3:a:freepbx:api:15.0.3.11
-
cpe:2.3:a:freepbx:api:15.0.3.12
-
cpe:2.3:a:freepbx:api:15.0.3.13
-
cpe:2.3:a:freepbx:api:15.0.3.14
-
cpe:2.3:a:freepbx:api:15.0.3.15
-
cpe:2.3:a:freepbx:api:15.0.3.16
-
cpe:2.3:a:freepbx:api:15.0.3.17
-
cpe:2.3:a:freepbx:api:15.0.3.18
-
cpe:2.3:a:freepbx:api:15.0.3.19
-
cpe:2.3:a:freepbx:api:15.0.3.2
-
cpe:2.3:a:freepbx:api:15.0.3.20
-
cpe:2.3:a:freepbx:api:15.0.3.21
-
cpe:2.3:a:freepbx:api:15.0.3.22
-
cpe:2.3:a:freepbx:api:15.0.3.3
-
cpe:2.3:a:freepbx:api:15.0.3.4
-
cpe:2.3:a:freepbx:api:15.0.3.5
-
cpe:2.3:a:freepbx:api:15.0.3.6
-
cpe:2.3:a:freepbx:api:15.0.3.7
-
cpe:2.3:a:freepbx:api:15.0.3.8
-
cpe:2.3:a:freepbx:api:15.0.3.9
-
cpe:2.3:a:freepbx:api:15.0.4
-
cpe:2.3:a:freepbx:api:15.0.5
-
cpe:2.3:a:freepbx:api:15.0.6
-
cpe:2.3:a:freepbx:api:15.0.7
-
cpe:2.3:a:freepbx:api:15.0.8
-
cpe:2.3:a:freepbx:api:15.0.9
-
cpe:2.3:a:freepbx:api:16.0.10
-
cpe:2.3:a:freepbx:api:16.0.11
-
cpe:2.3:a:freepbx:api:16.0.12
-
cpe:2.3:a:freepbx:api:16.0.13
-
cpe:2.3:a:freepbx:api:16.0.14
-
cpe:2.3:a:freepbx:api:16.0.15
-
cpe:2.3:a:freepbx:api:16.0.16
-
cpe:2.3:a:freepbx:api:16.0.17
-
cpe:2.3:a:freepbx:api:16.0.2
-
cpe:2.3:a:freepbx:api:16.0.3
-
cpe:2.3:a:freepbx:api:16.0.4
-
cpe:2.3:a:freepbx:api:16.0.4.1
-
cpe:2.3:a:freepbx:api:16.0.4.10
-
cpe:2.3:a:freepbx:api:16.0.4.2
-
cpe:2.3:a:freepbx:api:16.0.4.3
-
cpe:2.3:a:freepbx:api:16.0.4.4
-
cpe:2.3:a:freepbx:api:16.0.4.5
-
cpe:2.3:a:freepbx:api:16.0.4.6
-
cpe:2.3:a:freepbx:api:16.0.4.7
-
cpe:2.3:a:freepbx:api:16.0.4.8
-
cpe:2.3:a:freepbx:api:16.0.4.9
-
cpe:2.3:a:freepbx:api:16.0.5
-
cpe:2.3:a:freepbx:api:16.0.6
-
cpe:2.3:a:freepbx:api:16.0.7
-
cpe:2.3:a:freepbx:api:16.0.8
-
cpe:2.3:a:freepbx:api:16.0.9
-
cpe:2.3:a:freepbx:api:17.0.1
-
cpe:2.3:a:freepbx:api:17.0.1.1
-
cpe:2.3:a:freepbx:api:17.0.1.2
-
cpe:2.3:a:freepbx:api:17.0.1.3
-
cpe:2.3:a:freepbx:api:17.0.1.4
-
cpe:2.3:a:freepbx:api:17.0.1.5
-
cpe:2.3:a:freepbx:api:17.0.1.6
-
cpe:2.3:a:freepbx:api:17.0.1.7
-
cpe:2.3:a:freepbx:api:17.0.2
-
cpe:2.3:a:freepbx:api:17.0.3
-
cpe:2.3:a:freepbx:api:17.0.4
-
cpe:2.3:a:freepbx:api:17.0.5
-
cpe:2.3:a:freepbx:api:17.0.6
-
cpe:2.3:a:freepbx:api:17.0.7