CVE-2026-28209
Undergoing Analysis Undergoing Analysis - In Progress
Command Injection in FreePBX ElevenLabs TTS Module

Publication date: 2026-03-05

Last updated on: 2026-03-06

Assigner: GitHub, Inc.

Description
FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech (TTS) engine in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28209
EUVD
EUVD-2026-9856
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sangoma freepbx From 16.0.17.2 (inc) to 16.0.20 (exc)
sangoma freepbx From 17.0.2.4 (inc) to 17.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows remote attackers with valid credentials to execute arbitrary commands on the FreePBX host system.

Such exploitation can lead to severe impacts on the confidentiality, integrity, and availability of the FreePBX server.

  • Remote code execution as the asterisk user
  • Potential full system compromise
  • Loss or unauthorized access to sensitive data
  • Disruption of telephony services managed by FreePBX
Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-28209 is an authenticated command injection vulnerability in FreePBX's Text-to-Speech (TTS) integration with the ElevenLabs engine, specifically within the recordings module."}, {'type': 'paragraph', 'content': 'It affects FreePBX versions 16.0.17.2 through 16.0.19.x and 17.0.2.4 through 17.0.4.x, and has been patched in versions 16.0.20 and 17.0.5.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because user-controlled input is passed unsanitized to a shell command executed via PHP’s exec() function, allowing authenticated attackers to perform remote code execution (RCE) on the FreePBX server.'}, {'type': 'paragraph', 'content': 'Exploitation requires authentication with a known username and a configured ElevenLabs API key, and is triggered through an AJAX endpoint in the System Recordings module.'}, {'type': 'paragraph', 'content': 'Successful exploitation allows arbitrary shell command execution as the asterisk user, potentially leading to full system compromise.'}] [1]

Detection Guidance

This vulnerability is an authenticated command injection in the FreePBX recordings module when using the ElevenLabs Text-to-Speech engine. Detection involves verifying if your FreePBX installation is running a vulnerable version (16.0.17.2 to before 16.0.20 or 17.0.2.4 to before 17.0.5) and if the ElevenLabs TTS integration is enabled.

Since exploitation requires authentication and access to the recordings module, monitoring access logs for suspicious authenticated AJAX requests to the recordings module endpoints may help detect attempts.

No specific detection commands are provided in the resources, but you can check your FreePBX version with commands like:

  • fwconsole --version
  • rpm -qa | grep freepbx

Additionally, reviewing web server logs for unusual POST requests to the recordings module AJAX endpoints or unexpected command execution traces may indicate exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include updating the FreePBX recordings module to the patched versions 16.0.20 or 17.0.5 or later, which contain the fix for this command injection vulnerability.

Additionally, restrict access to the FreePBX Administration Control Panel (ACP) by using FreePBX User Management, SysAdmin VPN, Multi-Factor Authentication (MFA), SAML modules, and the FreePBX Firewall module to block unauthorized or hostile network access.

These measures reduce the risk of exploitation by limiting who can authenticate and access the vulnerable recordings module.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28209. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart