{"id":"CVE-2026-40520","summary":"FreePBX api module Command Injection via GraphQL","details":"FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL moduleOperations mutation with backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.","modified":"2026-07-08T08:13:12.895020783Z","published":"2026-04-21T12:41:05.281Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40520.json","cna_assigner":"VulnCheck","cwe_ids":["CWE-78"]},"references":[{"type":"WEB","url":"https://github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/Api.class.php#L546C1-L554C3"},{"type":"WEB","url":"https://github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/ApiGqlHelper.class.php#L34C1-L36C136"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40520.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40520"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/freepbx-api-module-command-injection-via-graphql"},{"type":"FIX","url":"https://github.com/FreePBX/api/commit/5f194e39a47e5481e8947f9694304d32724175f6"},{"type":"PACKAGE","url":"https://github.com/FreePBX/api"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/freepbx/api","events":[{"introduced":"0"},{"fixed":"ca10ea7d9d72d118ab40484ec3f969aff25f685d"},{"fixed":"5f194e39a47e5481e8947f9694304d32724175f6"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"17.0.8"}],"cpe":"cpe:2.3:a:freepbx:api:*:*:*:*:*:*:*:*","source":["CPE_RANGE","REFERENCES"]}}],"versions":["release/17.0.7","release/17.0.6","release/17.0.5","release/17.0.4","release/17.0.3","release/17.0.2","release/17.0.1.7","release/17.0.1.6","release/17.0.1.5","release/17.0.1.4","release/17.0.1.3","release/17.0.1.2","release/17.0.1.1","release/17.0.1","release/16.0.9","release/16.0.8","release/16.0.7","release/16.0.6","release/16.0.5","release/16.0.4.10","release/16.0.4.9","release/16.0.4.8","release/16.0.4.7","release/16.0.4.6","release/16.0.4.5","release/16.0.4.4","release/16.0.4.3","release/16.0.4.2","release/16.0.4.1","release/16.0.4","release/16.0.3","release/16.0.2","release/15.0.3.7","release/15.0.3.6","release/15.0.3.5","release/15.0.3.4","release/15.0.3.3","release/15.0.3.2","release/15.0.3.1","release/15.0.3","release/15.0.2.1","release/15.0.2","release/15.0.1alpha4","release/15.0.1alpha3","release/15.0.1alpha2","release/15.0.1alpha1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40520.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}