CVE-2026-46512 in Frogman
Summary
by MITRE • 07/16/2026
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_dialplan_apply accepted template parameters including greeting, dest, url, extension, code, and file, and Tools/DialplanApply.php wrote Dialplan/Templates.php output to extensions_custom.conf while only Dialplan/TemplateBase.php:38-42 sanitized contextName(), allowing a PERM_WRITE caller using confirm:true to inject arbitrary Asterisk directives such as System(), Set(SHELL(...)), Goto, or Macro. This issue is fixed in version 1.6.2.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in Frogman PBX control system represents a critical authorization and input validation flaw that enables unauthorized code execution through template parameter injection. This issue affects versions prior to 1.6.2 where the fm_dialplan_apply function processes template parameters including greeting, dest, url, extension, code, and file without adequate sanitization. The vulnerability stems from insufficient validation of user-supplied inputs during the dialplan application process, creating a path for privilege escalation attacks.
The technical flaw manifests in the Tools/DialplanApply.php component which writes output to extensions_custom.conf while only limited sanitization occurs in Dialplan/TemplateBase.php at lines 38-42. Specifically, the contextName() function receives inadequate protection, allowing malicious actors with PERM_WRITE privileges to inject arbitrary Asterisk directives. This includes dangerous commands such as System(), Set(SHELL(...)), Goto, and Macro directives that can execute arbitrary system commands or manipulate call flows. The vulnerability essentially allows attackers to bypass normal access controls and directly influence the underlying Asterisk PBX configuration.
The operational impact of this vulnerability is severe as it enables attackers with minimal privileges to execute arbitrary code on the PBX server. This compromises the entire communication infrastructure, potentially allowing for eavesdropping, call redirection, or complete system takeover. The attack vector requires only a user with PERM_WRITE access and the ability to set confirm:true parameter, making it particularly dangerous in environments where multiple users have varying levels of access. The injected directives can manipulate the phone system's behavior in ways that could disrupt services or provide unauthorized access to sensitive communication channels.
The vulnerability aligns with CWE-94 (Improper Control of Generation of Code) and CWE-79 (Cross-site Scripting) categories, representing a code injection flaw that allows arbitrary command execution. From an ATT&CK framework perspective, this maps to T1059 (Command and Scripting Interpreter) and T1566 (Phishing) as attackers can leverage this vulnerability to execute system commands or manipulate user interactions. The fix implemented in version 1.6.2 addresses the root cause by properly sanitizing all input parameters before they are processed and written to configuration files, ensuring that only valid Asterisk directives can be executed through the template system.
Organizations using Frogman PBX systems should immediately upgrade to version 1.6.2 or later to remediate this vulnerability. Additional mitigations include implementing network segmentation to limit access to the MCP and HTTP API endpoints, enforcing strict access controls for PERM_WRITE privileges, and monitoring for unusual configuration changes in extensions_custom.conf files. Regular security audits should verify that all template parameters are properly validated and sanitized before processing, ensuring that no arbitrary directive injection can occur through the dialplan application system.