Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSangoma Freepbx
APPSangoma13.0.0.0 – 13.0.197.1314.0.0.0 – 14.0.13.1115.0.0.0 – 15.0.16.26
CISA KEV — detailsi
- Vendori
- Sangoma
- Producti
- FreePBX
- Added to KEVi
- February 3, 2026
- Remediation deadline (US Federal)i
- February 24, 2026(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin.
Related vulnerabilities
Krytyczna podatność RCE i SQL injection w Sangoma FreePBX (bez uwierzytelnienia)
FreePBX UCP: dostęp bez uwierzytelnienia przez wbudowane dane logowania
FreePBX Endpoint Manager — pominięcie uwierzytelnienia (Auth Bypass)
FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, a...
The restapps (aka Rest Phone apps) module for Sangoma FreePBX and PBXact 13, 14, and 15 through 15.0.19.2 allo...