FreePBX security advisory (AV26-680)
Serial number: AV26-680 Date: July 9, 2026 On July 9, 2026, FreePBX published security advisories to address vulnerabilities in the following products: FreePBX API (FreePBX 17) – versions prior to 17.0.9 FreePBX Backup (FreePBX 17) – versions prior to 17.0.11 The Cyber Centre encourages users and administrators to review the web links provided, apply the necessary updates and perform the suggested mitigations. Authenticated API generatedocs Host Command Injection Authenticated Arbitrary SSH Key Injection via Backup Module FreePBX Security Advisories
CSIRTS triage
- What
- Multiple vulnerabilities have been identified in FreePBX that could allow command injection and SSH key injection.
- Who is affected
- Users of FreePBX 17 versions prior to 17.0.9 and 17.0.11 are affected.
- Urgency
- Remediation is necessary to prevent potential exploitation of these vulnerabilities.
- Action
- Users should update to the latest versions of FreePBX.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch FreePBX
Get an email when a new FreePBX advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://cyber.gc.ca/en/alerts-advisories/freepbx-security-advisory-av26-680
More from Canadian Centre for Cyber Security
- unknownBitWarden security advisory (AV26-683)2026-07-10
- criticalAL25-007 - Vulnerability impacting Roundcube Webmail – CVE-2025-49113 – Update 12026-07-10
- unknownMicrosoft Edge security advisory (AV26-682)2026-07-10
- criticalBroadcom VMware security advisory (AV26-681)2026-07-10
- unknownDjango security advisory (AV26-084) – Update 12026-07-09