Cyber Posture

CVE-2026-40520

HighPublic PoC

Published: 21 April 2026

Published
21 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0035 57.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send…

more

a GraphQL moduleOperations mutation with backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation and sanitization of GraphQL mutation input fields before passing to shell_exec() to prevent command injection via backtick-wrapped payloads.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific command injection flaw in the initiateGqlAPIProcess() function through patching as detailed in the FreePBX commit.

SI-9 Information Input Restrictions partial match
prevent

Enforces restrictions on the module field input to whitelist only valid module names, blocking injection of arbitrary shell commands.

Security SummaryAI

CVE-2026-40520 is a command injection vulnerability (CWE-78) affecting the FreePBX api module in versions 17.0.8 and prior. The issue resides in the initiateGqlAPIProcess() function, where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. This flaw has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-21.

An authenticated user with a valid bearer token can exploit this vulnerability by sending a GraphQL moduleOperations mutation containing backtick-wrapped commands in the module field. Successful exploitation enables arbitrary command execution on the underlying host as the web server user, potentially leading to high confidentiality, integrity, and availability impacts.

Mitigation details are available in the FreePBX api module patch commit at https://github.com/FreePBX/api/commit/5f194e39a47e5481e8947f9694304d32724175f6, which addresses the vulnerable code in Api.class.php and ApiGqlHelper.class.php. Additional analysis is provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/freepbx-api-module-command-injection-via-graphql.

Details

CWE(s)
CWE-78

Affected Products

freepbx
api
≤ 17.0.8

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

CVE enables exploitation of a public-facing web application (FreePBX API module) via authenticated GraphQL command injection (CWE-78), directly facilitating arbitrary Unix shell command execution (shell_exec()).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References