CVE-2026-40520
Published: 21 April 2026
Summary
CVE-2026-40520 is a high-severity OS Command Injection (CWE-78) vulnerability in Freepbx Api. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-40520 is a command injection vulnerability (CWE-78) affecting the FreePBX api module in versions 17.0.8 and prior. The issue resides in the initiateGqlAPIProcess() function, where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. This flaw has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-21.
An authenticated user with a valid bearer token can exploit this vulnerability by sending a GraphQL moduleOperations mutation containing backtick-wrapped commands in the module field. Successful exploitation enables arbitrary command execution on the underlying host as the web server user, potentially leading to high confidentiality, integrity, and availability impacts.
Mitigation details are available in the FreePBX api module patch commit at https://github.com/FreePBX/api/commit/5f194e39a47e5481e8947f9694304d32724175f6, which addresses the vulnerable code in Api.class.php and ApiGqlHelper.class.php. Additional analysis is provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/freepbx-api-module-command-injection-via-graphql.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24086
Vulnerability details
FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send…
more
a GraphQL moduleOperations mutation with backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of a public-facing web application (FreePBX API module) via authenticated GraphQL command injection (CWE-78), directly facilitating arbitrary Unix shell command execution (shell_exec()).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of GraphQL mutation input fields before passing to shell_exec() to prevent command injection via backtick-wrapped payloads.
Mandates timely remediation of the specific command injection flaw in the initiateGqlAPIProcess() function through patching as detailed in the FreePBX commit.
Enforces restrictions on the module field input to whitelist only valid module names, blocking injection of arbitrary shell commands.