CVE-2026-44238

Analyzed Analyzed - Analysis Complete

SQL Injection in FreePBX CDR Reports Module

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description

FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-29

Last Modified

2026-06-01

Generated

2026-06-19

AI Q&A

2026-05-29

EPSS Evaluated

2026-06-18

NVD

CVE-2026-44238

EUVD

EUVD-2026-33298

Affected Vendors & Products

Vendor	Product	Version / Range
sangoma	freepbx	to 16.0.50 (exc)
sangoma	freepbx	From 17.0 (inc) to 17.0.11 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-44238 is an authenticated SQL injection vulnerability in the CDR Reports module of FreePBX versions 16 and 17. It occurs because the `order` and `sort` POST parameters are improperly handled and directly inserted into the ORDER BY clause of SQL queries without proper sanitization.

The function used to process these inputs, `escapeSimple()`, only escapes single quotes, which does not prevent SQL injection in this context where the parameters are unquoted.

To exploit this vulnerability, an attacker needs access to a FreePBX Administration Control Panel account with CDR section privileges, but full administrator rights are not required.

Successful exploitation could allow the attacker to execute arbitrary SQL commands, potentially exposing sensitive data within the database.

Impact Analysis

This vulnerability can have a significant impact by allowing an attacker with limited privileges to perform SQL injection attacks on the FreePBX database.

Such an attack could lead to unauthorized access to sensitive data stored in the database, compromising confidentiality.

It may also affect the integrity of the data by allowing modification or deletion of records.

Because the attack vector is network-based and requires only low attack complexity, it poses a high risk if an attacker gains the necessary access.

Mitigation involves updating FreePBX to versions 16.0.50 or 17.0.11 or later, restricting access to the Administration Control Panel, and using firewall protections.

Detection Guidance

This vulnerability involves SQL injection through the order and sort POST parameters in the CDR Reports module of FreePBX. Detection would require monitoring or testing these specific POST parameters for injection attempts.

Since exploitation requires authentication with a FreePBX Administration Control Panel account that has CDR section access, detection can include reviewing logs for suspicious POST requests to the CDR Reports module containing unusual or malformed order or sort parameters.

No specific detection commands are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to update the FreePBX CDR Reports module to version 16.0.50 or later for FreePBX 16, or version 17.0.11 or later for FreePBX 17, where this vulnerability is fixed.

Restrict access to the FreePBX Administration Control Panel, especially limiting accounts with CDR section privileges.
Use the FreePBX Firewall module to block hostile networks from accessing the administration interface.

Compliance Impact

This vulnerability allows an attacker with access to a FreePBX Administration Control Panel account with CDR section privileges to perform SQL injection, potentially exposing sensitive data stored in the database.

Exposure of sensitive data due to this vulnerability could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and health-related information from unauthorized access.

Therefore, if exploited, this vulnerability could compromise confidentiality and integrity of data, impacting compliance with these common standards and regulations.

Hi! I’m here to help you understand CVE-2026-44238. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-44238

SQL Injection in FreePBX CDR Reports Module

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart