Description

FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL moduleOperations mutation with backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.

INFO

Published Date :

2026-04-21T12:41:05.281Z

Last Modified :

2026-04-21T13:32:06.116Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40520 vulnerability.

Vendors Products
Freepbx
  • Api
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40520.

URL Resource
https://github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/Api.class.php#L546C1-L554C3 cve-icon cve-icon
https://github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/ApiGqlHelper.class.php#L34C1-L36C136 cve-icon cve-icon
https://github.com/FreePBX/api/commit/5f194e39a47e5481e8947f9694304d32724175f6 cve-icon cve-icon
https://www.vulncheck.com/advisories/freepbx-api-module-command-injection-via-graphql cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact