CVE-2026-49848— FreeSWITCH: Pre-authentication `userVariables` injection in `mod_verto`
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| signalwire | freeswitch | < 1.11.1 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-49848
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FreeSWITCH: Pre-authentication `userVariables` injection in `mod_verto`
Source: NVD (National Vulnerability Database)
Vulnerability Description
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's check_auth userauth branch wrote request-supplied userVariables into the connection state before comparing the supplied password. The writes are append-only and the connection is not closed on a failed compare, so values declared on bad-password attempts persisted on the same WebSocket and carried into a subsequent successful login on that connection. This issue has been patched in version 1.11.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
FreeSWITCH 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
FreeSWITCH是美国Anthony Minessale个人开发者的研发的一套免费、开源的通信软件。该软件可用于创建音、视频以及短消息类产品和应用。 FreeSWITCH 1.11.1之前版本存在授权问题漏洞,该漏洞源于mod_verto的check_auth用户身份验证分支在比较提供的密码之前将请求提供的userVariables写入连接状态,写入是追加的,并且在比较失败时连接未关闭,因此在错误密码尝试上声明的值在同一WebSocket上持久存在,并带入该连接上的后续成功登录。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| signalwire | freeswitch | < 1.11.1 | - |
II. Public POCs for CVE-2026-49848
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-49848
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-49848 (1)
Vendor Advisories for CVE-2026-49848 (1)
Same Patch Batch · signalwire · 2026-06-09 · 9 CVEs total
| CVE-2026-49841 | 9.8 CRITICAL | FreeSWITCH: Pre-authentication heap buffer overflow in `mod_verto` HTTP POST body read |
| CVE-2026-49840 | 9.1 CRITICAL | FreeSWITCH: Pre-authentication heap buffer overflow in libesl `Content-Length` parsing |
| CVE-2026-45771 | 7.5 HIGH | Freeswitch Denial-of-Service in SIP PUBLISH Requests via XML Entity Expansion |
| CVE-2026-49842 | 7.5 HIGH | FreeSWITCH: Pre-authentication bandwidth amplification via `mod_verto` speed-test frames |
| CVE-2026-49847 | 7.5 HIGH | FreeSWITCH: Stack overflow in bundled cJSON parser via deeply nested JSON |
| CVE-2026-49475 | 7.5 HIGH | FreeSWITCH: Out-of-bounds memory access in core STUN attribute parsing |
| CVE-2026-49843 | 5.3 MEDIUM | FreeSWITCH: Pre-authentication session eviction via attacker-chosen `sessid` in `mod_verto |
| CVE-2026-49472 | 5.3 MEDIUM | FreeSWITCH includes a vulnerable function, PREFIX(prologTok)() from libexpat |
IV. Related Vulnerabilities
Same product: freeswitch
- CVE-2026-49847
FreeSWITCH: Stack overflow in bundled cJSON parser via deepl - CVE-2026-49843
FreeSWITCH: Pre-authentication session eviction via attacker - CVE-2026-49842
FreeSWITCH: Pre-authentication bandwidth amplification via ` - CVE-2026-49841
FreeSWITCH: Pre-authentication heap buffer overflow in `mod_ - CVE-2026-49840
FreeSWITCH: Pre-authentication heap buffer overflow in libes
Same vendor: signalwire
- CVE-2026-49847
FreeSWITCH: Stack overflow in bundled cJSON parser via deepl - CVE-2026-49843
FreeSWITCH: Pre-authentication session eviction via attacker - CVE-2026-49842
FreeSWITCH: Pre-authentication bandwidth amplification via ` - CVE-2026-49841
FreeSWITCH: Pre-authentication heap buffer overflow in `mod_ - CVE-2026-49840
FreeSWITCH: Pre-authentication heap buffer overflow in libes
Same weakness: CWE-287
- CVE-2026-12183
BUK TS-G系统2.9.1-2.10.2认证漏洞 - CVE-2026-50623
Apache CXF: Authentication Bypass in OAuth2 TokenIntrospecti - CVE-2026-48611
OAuth实现未正确验证身份导致默认安装账户劫持 - CVE-2026-40995
X.509 authentication bypasses Spring Security account checks - CVE-2026-46705
russh server userauth state is not reset when authentication
V. Comments for CVE-2026-49848
No comments yet