Cyber Resilience

CVE-2026-26978

HighRCE

Published: 18 May 2026

Published
18 May 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0090 55.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26978 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

FreePBX is an open source IP PBX whose backup module, in versions below 16.0.71 and 17.0.6, fails to sanitize data during restore operations. The module extracts files from a user-supplied tar archive and passes selected contents directly to unserialize() without validation, class restrictions, or integrity checks, enabling remote code execution as the web server user (typically asterisk or www-data). The flaw is tracked as CWE-502 and carries a CVSS 4.0 score of 8.6.

An authenticated attacker who possesses a username with sufficient restore permissions, or who can write to backup files, can upload a malicious tar archive containing crafted serialized data. Restoration of that archive triggers code execution without requiring shell access, CLI access, or additional filesystem write rights beyond the normal restore workflow. The attack is entirely remote over the network.

The issue is resolved in FreePBX backup module versions 16.0.71 and 17.0.6, as noted in the project’s GitHub commits and the accompanying GHSA-5v7h-49gr-jcwr advisory. The EPSS score remains flat at 0.0102 with no material increase after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations,…

more

FreePBX extracts selected files from a user-supplied tar archive. If a malicious file exists in the archive, it is read and passed directly to unserialize() without validation, class restrictions, or integrity checks. This issue allows Remote Code Execution during restoration of the backup as the web server user (typically asterisk or www-data). The attack does not require shell access, CLI access, or filesystem write permissions beyond the normal restore workflow. Authentication with a known username that has sufficient access permissions and/or write access to backup files is required. This issue has been fixed in versions 16.0.71 and 17.0.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CWE-502 deserialization flaw in public-facing FreePBX web restore workflow directly enables unauthenticated-style RCE (post-auth) on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-62368Shared CWE-502
CVE-2025-68903Shared CWE-502
CVE-2025-67911Shared CWE-502
CVE-2025-54014Shared CWE-502
CVE-2026-22505Shared CWE-502
CVE-2025-53078Shared CWE-502
CVE-2026-43633Shared CWE-502
CVE-2025-60039Shared CWE-502
CVE-2026-25429Shared CWE-502
CVE-2025-7697Shared CWE-502

Affected Assets

IP PBX. In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References