CVE-2026-46513 in frogman
Summary
by MITRE • 07/16/2026
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, Frogman stored API tokens generated by Tools/CreateApiToken.php:33-36 as raw bin2hex(random_bytes(32)) strings in oc_api_tokens, and Frogman.class.php:78 authenticated the X-Frogman-Token header by comparing it with the stored raw value, allowing database read access to recover reusable active tokens at their assigned permission level, including admin. This issue is fixed in version 1.6.2.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in Frogman versions prior to 1.6.2 represents a critical security flaw in API token management that directly impacts the system's authentication mechanism and overall security posture. The software provides headless PBX control through MCP and HTTP API interfaces, making it a potential target for unauthorized access to telephony infrastructure. This issue stems from improper handling of API tokens during their creation and validation processes, creating a persistent security weakness that could be exploited by attackers with database access.
The technical flaw manifests in how Frogman generates and validates API tokens through two distinct code paths that fail to maintain consistent token representation. During token generation, the system creates raw binary data using random_bytes(32) and immediately converts it to hexadecimal format with bin2hex() for storage in the oc_api_tokens database table. However, during authentication in Frogman.class.php at line 78, the system compares the incoming X-Frogman-Token header value directly against this stored hexadecimal representation without any normalization or conversion process. This discrepancy creates a fundamental mismatch where the token validation logic operates on different data representations than what was originally stored.
The operational impact of this vulnerability extends far beyond simple authentication bypasses, as it provides attackers with persistent access to administrative privileges through database read operations. When an attacker gains database access, they can directly query the oc_api_tokens table and retrieve these raw hexadecimal token values, which remain valid for their assigned permission levels including administrative access. This creates a scenario where compromised database credentials immediately translate into elevated system privileges without requiring additional exploitation techniques or session hijacking efforts.
The vulnerability aligns with common security weaknesses documented in CWE-259 and CWE-312, specifically addressing improper handling of sensitive data and the storage of sensitive information in an easily readable format. From an adversarial perspective, this issue maps directly to ATT&CK technique T1078.004 for valid accounts and T1566.001 for credential access through database breaches. The persistence aspect of this vulnerability means that once exploited, attackers can maintain access across system restarts and token expiration cycles, as long as they retain database read privileges.
Mitigation strategies should focus on implementing proper token normalization throughout the generation and validation lifecycle, ensuring consistent representation of tokens regardless of whether they are stored or compared. Organizations should upgrade to Frogman version 1.6.2 which addresses this specific vulnerability through improved token handling mechanisms. Additional defensive measures include implementing database access controls, monitoring for unauthorized database queries, and considering token rotation policies to limit the window of opportunity for exploitation. Security teams should also conduct comprehensive audits of all token-based authentication systems to identify similar representation inconsistencies that could create equivalent vulnerabilities in other software components.