CVE-2026-26978: CWE-502: Deserialization of Untrusted Data in FreePBX security-reporting
FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX extracts selected files from a user-supplied tar archive. If a malicious file exists in the archive, it is read and passed directly to unserialize() without validation, class restrictions, or integrity checks. This issue allows Remote Code Execution during restoration of the backup as the web server user (typically asterisk or www-data). The attack does not require shell access, CLI access, or filesystem write permissions beyond the normal restore workflow. Authentication with a known username that has sufficient access permissions and/or write access to backup files is required. This issue has been fixed in versions 16.0.71 and 17.0.6.
AI Analysis
Technical Summary
CVE-2026-26978 is a deserialization of untrusted data vulnerability (CWE-502) in FreePBX's backup module. When restoring backups, FreePBX extracts files from a user-supplied tar archive and unserializes data without validation or class restrictions. This enables remote code execution as the web server user (typically asterisk or www-data) if the backup archive contains maliciously crafted data. Exploitation requires authentication with a user account that has sufficient access to perform backup restore operations. The issue affects FreePBX versions below 16.0.71 and versions from 17.0.0 up to but not including 17.0.6. The vulnerability is addressed in versions 16.0.71 and 17.0.6.
Potential Impact
Successful exploitation allows remote code execution as the web server user during backup restore operations. This can lead to full compromise of the FreePBX system under the privileges of the web server user. No shell or CLI access is required beyond normal backup restore permissions. The vulnerability requires an authenticated user with sufficient privileges, limiting exposure to authorized users.
Mitigation Recommendations
This vulnerability has been fixed in FreePBX versions 16.0.71 and 17.0.6. Users should upgrade to these or later versions to remediate the issue. Until upgraded, restrict backup restore permissions to trusted users only. Patch status is not explicitly stated in the vendor advisory beyond the fixed versions; therefore, verify with official FreePBX sources for the latest remediation guidance.
CVE-2026-26978: CWE-502: Deserialization of Untrusted Data in FreePBX security-reporting
Description
FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX extracts selected files from a user-supplied tar archive. If a malicious file exists in the archive, it is read and passed directly to unserialize() without validation, class restrictions, or integrity checks. This issue allows Remote Code Execution during restoration of the backup as the web server user (typically asterisk or www-data). The attack does not require shell access, CLI access, or filesystem write permissions beyond the normal restore workflow. Authentication with a known username that has sufficient access permissions and/or write access to backup files is required. This issue has been fixed in versions 16.0.71 and 17.0.6.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-26978 is a deserialization of untrusted data vulnerability (CWE-502) in FreePBX's backup module. When restoring backups, FreePBX extracts files from a user-supplied tar archive and unserializes data without validation or class restrictions. This enables remote code execution as the web server user (typically asterisk or www-data) if the backup archive contains maliciously crafted data. Exploitation requires authentication with a user account that has sufficient access to perform backup restore operations. The issue affects FreePBX versions below 16.0.71 and versions from 17.0.0 up to but not including 17.0.6. The vulnerability is addressed in versions 16.0.71 and 17.0.6.
Potential Impact
Successful exploitation allows remote code execution as the web server user during backup restore operations. This can lead to full compromise of the FreePBX system under the privileges of the web server user. No shell or CLI access is required beyond normal backup restore permissions. The vulnerability requires an authenticated user with sufficient privileges, limiting exposure to authorized users.
Mitigation Recommendations
This vulnerability has been fixed in FreePBX versions 16.0.71 and 17.0.6. Users should upgrade to these or later versions to remediate the issue. Until upgraded, restrict backup restore permissions to trusted users only. Patch status is not explicitly stated in the vendor advisory beyond the fixed versions; therefore, verify with official FreePBX sources for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-17T01:41:24.605Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0b82e3ec166c07b0fdb3ce
Added to database: 5/18/2026, 9:21:39 PM
Last enriched: 5/18/2026, 9:36:35 PM
Last updated: 5/18/2026, 10:56:53 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.