FreePBX api module Command Injection via GraphQL_CVE-2026-40520

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL moduleOperations mutation with backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.

AI Analysis

Command injection vulnerability in FreePBX api module via GraphQL

Basic Information

ID CVE-2026-40520

Source VulnCheck

Published Apr 21, 2026 at 12:41

Modified Apr 21, 2026 at 13:32

Affected Product

Vendor FreePBX

Product api

Affected Versions FreePBX api 0

CWE Classification

CWE-78

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor FreePBX

Product FreePBX api module

Version 17.0.8 and prior

References

{
    "lastseen": "",
    "description": "FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL moduleOperations mutation with backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.",
    "published": "2026-04-21T12:41:05.281Z",
    "modified": "2026-04-21T13:32:06.116Z",
    "type": "cve",
    "title": "FreePBX api module Command Injection via GraphQL",
    "source": "VulnCheck",
    "references": "https://github.com/FreePBX/api/commit/5f194e39a47e5481e8947f9694304d32724175f6\nhttps://github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/Api.class.php#L546C1-L554C3\nhttps://github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/ApiGqlHelper.class.php#L34C1-L36C136\nhttps://www.vulncheck.com/advisories/freepbx-api-module-command-injection-via-graphql",
    "id": "CVE-2026-40520",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "FreePBX api 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "api",
    "version": "0",
    "vendor": "FreePBX",
    "ai_description": "Command injection vulnerability in FreePBX api module via GraphQL",
    "ai_severity": "High",
    "ai_vendor": "FreePBX",
    "ai_product": "FreePBX api module",
    "ai_version": "17.0.8 and prior",
    "ai_score": 8.6
}