CVE-2026-46514 in frogman
Summary
by MITRE • 07/16/2026
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_reset_password in Tools/ResetPassword.php:48-53 returned a plaintext password and fm_add_extension in Tools/AddExtension.php:172 returned a plaintext secret; Frogman.class.php:2207-2211 used auditOutcome to JSON-encode those responses into oc_audit_log.detail, allowing any PERM_READ caller with access to fm_audit_search to recover the stored credentials. This issue is fixed in version 1.6.2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/16/2026
This vulnerability resides within Frogman's headless PBX control system that operates through MCP and HTTP API interfaces. The security flaw manifests in two distinct functions that handle credential management within the system's administrative toolkit. The vulnerability stems from improper handling of sensitive authentication data during password reset and extension creation operations, creating a critical exposure in the system's privilege management framework.
The technical implementation of this vulnerability occurs through multiple code paths that directly expose plaintext credentials to unauthorized users. Specifically, fm_reset_password function in Tools/ResetPassword.php at lines 48-53 returns plaintext passwords without any cryptographic protection or access controls. Similarly, fm_add_extension function in Tools/AddExtension.php at lines 172 returns plaintext secrets that contain authentication tokens for new extensions. These functions operate within the broader Frogman.class.php framework where audit outcomes are processed at lines 2207-2211, specifically using the auditOutcome variable to JSON-encode responses into oc_audit_log.detail fields. This encoding process creates a direct pathway for credential exposure since the audit logging mechanism is designed to be accessible to users with PERM_READ permissions.
The operational impact of this vulnerability represents a severe privilege escalation risk that allows attackers with minimal access levels to obtain sensitive authentication information. Any user possessing PERM_READ privileges and access to the fm_audit_search functionality can exploit this flaw to recover stored credentials from audit logs, essentially bypassing normal authentication controls. This creates an environment where unauthorized individuals can gain access to password reset tokens and extension secrets, potentially leading to complete system compromise or unauthorized administrative access. The vulnerability directly violates fundamental security principles of credential protection and access control enforcement.
The mitigation strategy for this vulnerability involves upgrading to version 1.6.2 which addresses the core issue through proper credential handling mechanisms. Organizations should implement immediate access controls to restrict audit search functionality to privileged users only, while ensuring that all authentication data is properly encrypted both in transit and at rest. Security monitoring should be enhanced to detect unusual access patterns to audit logs, and administrative processes should be reviewed to ensure that credential exposure occurs only through secure, authorized channels. This vulnerability aligns with CWE-312 (Cleartext Storage of Sensitive Information) and represents a significant concern under ATT&CK technique T1566 (Phishing) and T1078 (Valid Accounts) as it enables attackers to obtain legitimate credentials for unauthorized access.
The root cause analysis reveals fundamental flaws in the system's security architecture where audit logging mechanisms were not properly secured against unauthorized access. This type of vulnerability demonstrates the importance of implementing proper privilege separation and ensuring that audit data does not contain sensitive information that could be exploited by users with read-only access. The fix in version 1.6.2 likely involves implementing proper encryption of credential data during storage and transmission, along with strengthening access controls around audit log retrieval mechanisms. Security teams should also consider implementing additional monitoring for credential-related activities and ensure proper security testing of administrative functions before deployment to production environments.
Organizations utilizing Frogman systems should conduct immediate vulnerability assessments to identify any instances where this issue may have been exploited, while also reviewing their broader security posture to ensure similar credential exposure vulnerabilities do not exist in other system components. The incident highlights the critical importance of secure coding practices and proper implementation of access control mechanisms within administrative interfaces. Regular security audits and penetration testing should be conducted to identify potential credential exposure risks, particularly in systems that handle sensitive authentication data through logging and audit mechanisms. This vulnerability serves as a reminder of the necessity for comprehensive security controls throughout all system components rather than relying solely on perimeter-based protections.