CVE-2026-44237
FreePBX: Authenticated Access can lead to Subsequent OAuth2 Authentication Bypass in API Module
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client_id to obtain OAuth2 access tokens without providing the correct client_secret. This vulnerability is fixed in 17.0.8.
| CWE | CWE-1390 |
| Vendor | freepbx |
| Product | security-reporting |
| Published | May 29, 2026 |
| Last Updated | May 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for freepbx security-reporting
Be the first to know when new unknown vulnerabilities affecting freepbx security-reporting are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
FreePBX / security-reporting
< 17.0.8