Free PBX backup: Deserialization of Untrusted Data in admin/modules/backup/Models/BackupSplFileInfo.php

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX extracts selected files from a user-supplied tar archive. If a malicious file exists in the archive, it is read and passed directly to unserialize() without validation, class restrictions, or integrity checks. This issue allows Remote Code Execution during restoration of the backup as the web server user (typically asterisk or www-data). The attack does not require shell access, CLI access, or filesystem write permissions beyond the normal restore workflow. Authentication with a known username that has sufficient access permissions and/or write access to backup files is required. This issue has been fixed in versions 16.0.71 and 17.0.6.

AI Analysis

Deserialization of untrusted data in the backup module, potentially leading to Remote Code Execution during restoration of the backup.

Basic Information

ID CVE-2026-26978

Source GitHub_M

Published May 18, 2026 at 20:49

Modified May 18, 2026 at 21:28

Affected Product

Vendor FreePBX

Product security-reporting

Version < 16.0.71

Affected Versions FreePBX security-reporting < 16.0.71
FreePBX security-reporting >= 17.0.0, < 17.0.6

CWE Classification

CWE-502

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor FreePBX

Product FreePBX

Version < 16.0.71, < 17.0.6

References

{
    "lastseen": "",
    "description": "FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX extracts selected files from a user-supplied tar archive. If a malicious file exists in the archive, it is read and passed directly to unserialize() without validation, class restrictions, or integrity checks. This issue allows Remote Code Execution during restoration of the backup as the web server user (typically asterisk or www-data). The attack does not require shell access, CLI access, or filesystem write permissions beyond the normal restore workflow. Authentication with a known username that has sufficient access permissions and/or write access to backup files is required. This issue has been fixed in versions 16.0.71 and 17.0.6.",
    "published": "2026-05-18T20:49:04.364Z",
    "modified": "2026-05-18T21:28:38.708Z",
    "type": "cve",
    "title": "Free PBX backup: Deserialization of Untrusted Data in admin/modules/backup/Models/BackupSplFileInfo.php",
    "source": "GitHub_M",
    "references": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-5v7h-49gr-jcwr\nhttps://github.com/FreePBX/backup/commit/45c57e1207cbf9fd1c5f76f8a3e72d204a69a472\nhttps://github.com/FreePBX/backup/commit/64781af5c80cce0cff21a981be4d8e6a7a71f2c4",
    "id": "CVE-2026-26978",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "FreePBX security-reporting < 16.0.71\nFreePBX security-reporting >= 17.0.0, < 17.0.6",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "security-reporting",
    "version": "< 16.0.71",
    "vendor": "FreePBX",
    "ai_description": "Deserialization of untrusted data in the backup module, potentially leading to Remote Code Execution during restoration of the backup.",
    "ai_severity": "High",
    "ai_vendor": "FreePBX",
    "ai_product": "FreePBX",
    "ai_version": "< 16.0.71, < 17.0.6",
    "ai_score": 8.6
}

Free PBX backup: Deserialization of Untrusted Data in admin/modules/backup/Models/BackupSplFileInfo.php_CVE-2026-26978