FreePBX Vulnerability Lets Attackers Access User Control Panel Accounts
7 min. read 
Published on
A critical FreePBX vulnerability can allow unauthenticated attackers to access the User Control Panel when affected systems use generic UCP templates with unchanged hard-coded initial credentials.
The flaw is tracked as CVE-2026-46376 and affects the userman module in FreePBX 16 and FreePBX 17. The issue has been patched in userman 16.0.45 and 17.0.7.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The vulnerability is serious because FreePBX is widely used to manage business phone systems, extensions, voicemail, call features, and user-level PBX settings. If the UCP is exposed to hostile networks, attackers may be able to access user portals without valid user credentials.
What is CVE-2026-46376?
CVE-2026-46376 is a hard-coded credentials vulnerability in the FreePBX User Control Panel setup flow. It affects systems where administrators enabled optional UCP generic templates and did not immediately change the initial template credentials.
The issue is classified as CWE-798, which covers the use of hard-coded credentials. This weakness can create unauthorized access paths when sample, default, or embedded passwords remain active after setup.
The advisory says authenticated access to the Administrator Control Panel is required for the initial UCP generic template setup. After that setup, however, the unchanged hard-coded credentials can leave user portals exposed.
FreePBX vulnerability at a glance
| Detail | Information |
|---|---|
| CVE | CVE-2026-46376 |
| GitHub advisory | GHSA-m55x-h47x-v3gx |
| Affected module | userman |
| Affected interface | User Control Panel |
| Affected FreePBX 16 versions | userman before 16.0.45 |
| Affected FreePBX 17 versions | userman before 17.0.7 |
| Patched versions | 16.0.45 and 17.0.7 |
| CVSS v4 base score | 9.1 Critical |
| Weakness type | CWE-798, use of hard-coded credentials |
How the FreePBX flaw works
The flaw comes from hard-coded sample credentials used during the optional UCP generic template setup process. These templates are meant to make common UCP deployments easier for administrators.
If those initial credentials remain unchanged, unauthenticated users may be able to use them to access the UCP. The attacker does not need a valid account for the target portal.
The vulnerability does not mean every FreePBX installation is automatically compromised. The risk depends on whether the affected template setup was used, whether the credentials were changed, and whether UCP access is reachable from untrusted networks.
Why UCP access matters
The User Control Panel gives FreePBX users access to personal telephony features. Depending on how the system is configured, that can include voicemail, call forwarding, contact settings, presence information, and extension-related controls.
Unauthorized UCP access can expose private user data and allow attackers to change settings tied to user accounts. In some environments, that could help attackers redirect calls, abuse voicemail access, or gather information for later attacks.
The advisory rates confidentiality and integrity impact as high. Availability impact is listed as none, meaning the main risk involves unauthorized access and changes rather than service disruption.
Who is most exposed?
Internet-facing FreePBX systems face the highest risk, especially when UCP or ACP interfaces are reachable without network restrictions. PBX servers often sit at the edge of business communication systems, which makes access control especially important.
Organizations that used UCP generic templates should check whether the hard-coded initial credentials were changed. Administrators should also verify whether the userman module has been updated to the patched version.
Hosted PBX providers, managed service providers, small businesses, call centers, healthcare offices, and schools should prioritize checks if they expose FreePBX portals to users over the public internet.
Potential impact of exploitation
- Unauthorized access to FreePBX User Control Panel accounts.
- Exposure of user-level telephony information.
- Unauthorized changes to user settings.
- Possible abuse of voicemail or extension-related features.
- Increased risk of follow-on social engineering or PBX abuse.
The vulnerability does not directly describe remote code execution. However, unauthorized portal access can still create serious business risk, especially in environments where phone systems handle sensitive calls or customer communications.
Why the score is critical
The GitHub advisory assigns CVE-2026-46376 a CVSS v4 base score of 9.1, which falls in the critical range. The attack vector is network-based, attack complexity is low, and exploitation does not require privileges or user interaction.
At the same time, the advisory lists attack requirements as present. That means exploitation depends on a specific deployment condition: the UCP generic template setup must have been used and the hard-coded initial credentials must not have been changed.
This distinction matters for administrators. A server may run an affected userman version but still require configuration review to determine whether it is exposed through this specific path.
What FreePBX administrators should update
| FreePBX branch | Vulnerable userman versions | Fixed userman version |
|---|---|---|
| FreePBX 16 | Before 16.0.45 | 16.0.45 or later |
| FreePBX 17 | Before 17.0.7 | 17.0.7 or later |
Administrators should update the userman module to the latest available version. The advisory says the fix randomizes the password, reducing the risk from the hard-coded template credential issue.
Systems that cannot be updated immediately should restrict UCP and ACP access to trusted networks and review all UCP template credentials. Any known, default, sample, or shared credentials should be replaced.
Recommended mitigation steps
- Update the FreePBX userman module to the patched version.
- Check whether UCP generic templates were enabled.
- Rotate any initial, template, default, or shared UCP credentials.
- Limit UCP access to trusted IP addresses where possible.
- Restrict Administrator Control Panel access with VPN, MFA, or SAML.
- Use the FreePBX Firewall module to deny access from hostile networks.
- Review portal logs for unusual login attempts.
- Disable unused UCP features and remove stale users.
How to check for exposure
Administrators should start by checking the installed userman module version. They should then review whether UCP generic templates exist and whether any template credential remains unchanged.
Next, teams should review network exposure. If UCP is open to the public internet, the system has a larger attack surface than one restricted to trusted users or registered SIP phone IP addresses.
Administrators should also check recent UCP login history, user profile changes, call forwarding changes, voicemail access patterns, and any unexpected modifications to user settings.
Security hardening beyond the patch
Patching fixes the known vulnerability, but FreePBX systems still need strong access controls. PBX platforms often connect to voice trunks, internal extensions, voicemail systems, and business workflows.
Administrators should avoid exposing ACP to the open internet. If remote administration is required, VPN and MFA offer stronger protection than a public login page.
The same principle applies to UCP. Organizations can reduce risk by allowing portal access only from trusted networks, known user locations, or IP addresses that have successfully registered SIP devices.
Why hard-coded credentials keep causing breaches
Hard-coded credentials remain a common security failure because they simplify setup but create long-term risk. If administrators miss the rotation step, attackers can reuse the same credential pattern across many deployments.
Template-driven systems need safe defaults. Initial credentials should expire, rotate automatically, or force a change before a portal becomes reachable.
CVE-2026-46376 shows why that design matters. A convenience feature in a deployment workflow can become a critical vulnerability when it leaves working credentials behind.
What organizations should do now
Organizations using FreePBX should treat this as an urgent configuration and update review. The first step is updating userman, but the second step is confirming that no exposed UCP template credential remains active.
Security teams should also document which PBX interfaces are internet-facing. Public ACP or UCP access should require strict controls, and unused access paths should be closed.
The safest approach is to patch, rotate credentials, restrict access, and audit recent portal activity. That combination addresses both the known flaw and the broader risk of exposed PBX management interfaces.
FAQ
CVE-2026-46376 is a hard-coded credentials vulnerability in the FreePBX userman module. It can allow unauthenticated access to the User Control Panel when UCP generic templates use unchanged initial template credentials.
The advisory lists FreePBX 16 userman versions before 16.0.45 and FreePBX 17 userman versions before 17.0.7 as affected. Administrators should update to those versions or later.
No. The key risk applies when the optional UCP generic template setup was used and the initial hard-coded template credentials were not changed. Publicly exposed UCP portals face higher risk.
Attackers may access user portal accounts, view sensitive user-level telephony information, and change UCP settings. The advisory rates confidentiality and integrity impact as high.
Administrators should update the userman module, rotate any template or default credentials, restrict ACP and UCP access to trusted networks, and use controls such as VPN, MFA, SAML, or the FreePBX Firewall module.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages