VoIP Backbone Exposed: Critical FreePBX Flaw (CVE-2026-46376) Allows Unauthenticated Access to User Portals
Do Son 
FreePBX, widely recognized as the world’s most popular open-source IP PBX platform for building customized phone systems, has fixed a critical security vulnerability affecting its User Control Panel (UCP).
Tracked as CVE-2026-46376, the flaw carries a severe CVSS v3.1 base score of 9.1, signaling a significant threat to voice-over-IP (VoIP) infrastructure and enterprise communications. The vulnerability allows unauthenticated attackers to gain unauthorized access to the system’s user portal by leveraging static, hard-coded template credentials left exposed during initial deployments.
The security gap stems from how FreePBX handles template setups for end-users. To make common, large-scale UCP deployments easier for system administrators, the platform includes an optional configuration feature known as the UCP generic template setup.
While authenticated access to the main Administrator Control Panel (ACP) is strictly required to kick off this template initialization process, the system relies on hard-coded sample credentials as part of the default template structure. If an administrator enables these generic templates but fails to immediately change the default template passwords, the platform requires no further steps from an outside attacker to break in. Unauthenticated users on the internet or local network can simply use these known static credentials to authenticate directly to the UCP interface.
The vulnerability specifically compromises the user-facing side of the phone system, but can act as a dangerous foothold within an organization’s network. It impacts installations running the following versions of the platform:
- FreePBX 16 branches: Versions prior to 16.0.45
- FreePBX 17 branches: Versions prior to 17.0.7
The development group has officially resolved the flaw in FreePBX 16.0.45 and FreePBX 17.0.7.
To neutralize the risk of unauthorized UCP access, administrators should immediately implement the following mitigation steps:
- Apply the Patch: Update the core userman (User Management) module to the latest available version. The patched versions automatically randomize the default template passwords, eliminating the static backdoor entirely.
- Lock Down Administrative Interfaces: Ensure that access to the FreePBX Administrator Control Panel (ACP) is strictly limited to authorized personnel. Security teams should enforce network or identity restrictions by leveraging native FreePBX components, such as the User Management, SysAdmin VPN, Multi-Factor Authentication (MFA), or SAML single sign-on modules.
- Network Segmentation and Firewall Rules: Deny all incoming traffic from hostile or untrusted networks directly to both the ACP and the UCP. Administrators are urged to utilize the built-in FreePBX Firewall module. Specifically, the firewall features a highly effective option that restricts UCP access exclusively to IP addresses that have already successfully registered an active SIP telephone on the system.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
