CVE-2026-46513
Received Received - Intake

Frogman API Token Exposure via Raw Hex Storage

Vulnerability report for CVE-2026-46513, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, Frogman stored API tokens generated by Tools/CreateApiToken.php:33-36 as raw bin2hex(random_bytes(32)) strings in oc_api_tokens, and Frogman.class.php:78 authenticated the X-Frogman-Token header by comparing it with the stored raw value, allowing database read access to recover reusable active tokens at their assigned permission level, including admin. This issue is fixed in version 1.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
frogman frogman 1.6.2
frogman frogman to 1.6.2 (exc)
frogman frogman to 1.6.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-256 The product stores a password in plaintext within resources such as memory or files.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Frogman is a headless PBX control system that uses API tokens for authentication. Prior to version 1.6.2, these tokens were stored in plaintext in the database. If an attacker gained access to the database, they could retrieve and reuse these tokens to authenticate to the system at the token's assigned permission level, including admin access.

Detection Guidance

Check for plaintext API tokens in the oc_api_tokens table of your Frogman database. Look for raw bin2hex(random_bytes(32)) formatted tokens. Verify if tokens are stored in the old format without the sha256$ prefix.

Impact Analysis

If your Frogman instance is running a version prior to 1.6.2, an attacker with database access could steal API tokens and gain unauthorized access to your PBX system. This could lead to misuse of system functions, data breaches, or administrative control over your phone system.

Compliance Impact

This vulnerability likely violates compliance requirements for protecting sensitive data, such as GDPR's data protection principles or HIPAA's safeguards for protected health information. Storing credentials in plaintext is a clear security failure that could lead to regulatory penalties.

Mitigation Strategies

Upgrade Frogman to version 1.6.2 or later to enable token hashing. Rotate all existing API tokens immediately to invalidate potentially exposed credentials. Encrypt database backups to prevent token exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46513. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart