CVE-2026-49848
Undergoing Analysis Undergoing Analysis - In Progress
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: GitHub, Inc.

Description
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's check_auth userauth branch wrote request-supplied userVariables into the connection state before comparing the supplied password. The writes are append-only and the connection is not closed on a failed compare, so values declared on bad-password attempts persisted on the same WebSocket and carried into a subsequent successful login on that connection. This issue has been patched in version 1.11.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-49848
EUVD
EUVD-2026-35495
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freeswitch freeswitch to 1.11.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49848 is a moderate severity vulnerability in FreeSWITCH's mod_verto module that allows pre-authentication userVariables injection.

The issue occurs because the module writes user-supplied variables into the connection state before verifying the password during authentication.

This means that failed login attempts with malicious variables persist in the connection state, and if a subsequent successful login occurs on the same WebSocket, those variables are carried over and applied to the session.

An attacker can influence call-side variables during outbound verto.invite or inbound INVITEs, even though they only have valid credentials for an account on the same listener.

The vulnerability affects mod_verto profiles with userauth enabled, which is the default setting.

The attack requires network access to the verto WebSocket listener but does not require elevated privileges or user interaction.

Impact Analysis

This vulnerability can impact you by allowing an attacker to inject malicious userVariables into your FreeSWITCH mod_verto session before authentication is completed.

Because these variables persist across failed and subsequent successful logins on the same WebSocket connection, an attacker can influence call-side variables during calls.

This could lead to integrity issues where call behavior or parameters are manipulated without proper authorization.

The attacker does not need elevated privileges or user interaction but must have network access to the verto WebSocket listener.

Mitigations include restricting access to the verto WebSocket listener to trusted networks, disabling mod_verto if unused, or applying the patch that fixes this issue.

Detection Guidance

This vulnerability involves the mod_verto module writing user-supplied variables into the connection state before password verification, allowing malicious variables from failed login attempts to persist and affect subsequent sessions on the same WebSocket.

To detect this vulnerability on your network or system, you should monitor traffic to the verto WebSocket listener for unusual or unexpected userVariables being injected during authentication attempts.

Since the vulnerability requires network access to the verto WebSocket listener, you can use network monitoring tools like tcpdump or Wireshark to capture WebSocket traffic on the relevant ports and inspect for suspicious userVariables in authentication requests.

Example commands to capture traffic on the verto WebSocket port (commonly 8082 or configured port) include:

  • tcpdump -i <interface> port 8082 -w capture.pcap
  • tshark -r capture.pcap -Y "http.websocket" -T fields -e http.websocket.payload

Inspect the captured WebSocket payloads for userVariables being sent before successful authentication, which indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps for this vulnerability include:

  • Restrict access to the verto WebSocket listener to trusted networks only, minimizing exposure to untrusted or public networks.
  • Disable the mod_verto module if it is not in use to eliminate the attack surface.
  • Apply the patch provided in FreeSWITCH version 1.11.1 or later, which ensures that userVariables are only applied after successful authentication, preventing the persistence of malicious variables.
Compliance Impact

The vulnerability in FreeSWITCH's mod_verto module allows user-supplied variables from failed login attempts to persist and be applied after successful authentication. This could potentially lead to unauthorized manipulation of session variables, impacting the integrity of call-side data.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the integrity impact of this vulnerability could pose risks related to data accuracy and session security, which are important aspects of these regulations.

Mitigations such as restricting access to the verto WebSocket listener to trusted networks, disabling mod_verto if unused, or applying the patch to ensure userVariables are only applied after successful authentication can help reduce compliance risks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49848. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart