CVE-2026-46515
Received Received - Intake

Frogman API Unauthorized Access to Sensitive Data Prior to 1.6.3

Vulnerability report for CVE-2026-46515, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERM_READ access was sufficient to call fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup_status, fm_whos_calling, fm_run_saved_query, and fm_diagnose_trunk, exposing AMI manager secrets, outbound dial PINs, full Asterisk dialplan context, root SSH connection commands, backup artifact paths, CDR history, arbitrary saved GraphQL query execution, and raw AMI endpoint dumps containing SIP fields such as password, md5_cred, and oauth_secret. This issue is fixed in version 1.6.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
frogman frogman 1.6.3
frogman frogman to 1.6.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46515 is a privilege-scoping vulnerability in Frogman, a headless PBX control system. Prior to version 1.6.3, eight tools incorrectly inherited low-level read permissions (PERM_READ) but exposed sensitive admin data. Attackers with read-tier access could retrieve AMI manager secrets, outbound dial PINs, full Asterisk dialplans, root SSH commands, backup paths, call records, and execute arbitrary GraphQL queries. The fm_diagnose_trunk tool also exposed SIP trunk passwords in plaintext within audit logs.

Detection Guidance

Check Frogman logs for unauthorized access to sensitive endpoints like fm_list_managers, fm_diagnose_trunk, or fm_get_mcp_config. Look for plaintext credentials in audit logs, particularly in the oc_audit_log.detail field where SIP passwords or other secrets may appear. Verify if any PERM_READ tokens are active and used by non-admin users.

Impact Analysis

An attacker with PERM_READ access could steal credentials (SIP passwords, AMI secrets), access sensitive system data (dialplans, CDR records with PII), execute unauthorized operations via GraphQL mutations, or gain deeper system access through exposed SSH commands. This could lead to full system compromise, data breaches, or fraudulent calls.

Compliance Impact

This vulnerability likely violates GDPR (data protection) and HIPAA (health data privacy) by exposing personally identifiable information (PII) in call records and authentication secrets. Unauthorized access to such data constitutes a compliance failure, potentially resulting in regulatory fines and legal liabilities.

Mitigation Strategies

Upgrade Frogman to version 1.6.3 or later to apply the security fixes. Revoke all PERM_READ tokens for non-admin users as a temporary workaround. Ensure audit log redaction covers all credential fields, not just named keys. Restrict access to fm_diagnose_trunk and other affected tools to admin-only users.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46515. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart