Skip to content

v1.6.1 — Security release (superseded by v1.6.2)

Choose a tag to compare

@mwtcmi mwtcmi released this 13 May 19:17

⚠️ Use v1.6.2 instead. v1.6.1's install.php polluted FreePBX's global $db, breaking the standard fwconsole ma install frogman upgrade path with a SQL syntax error (UPDATE modules SET version=''1.6.1'' WHERE modulename=''frogman''). The migrations and security fixes themselves work correctly, but the FreePBX modules-table version-bump aborts and leaves the module in Disabled; Pending upgrade state, requiring manual mysql -e "UPDATE modules SET version=..." recovery.

v1.6.2 contains all the same security fixes from v1.6.1 plus the install-path fix. It is a drop-in replacement. Install or upgrade to v1.6.2 directly — do not install v1.6.1 first.

The four security advisories below remain accurate; just install v1.6.2 to get the patches.


Security release. Patches four advisories disclosed via responsible disclosure on the FreePBX community forum on 2026-05-13:

  • GHSA-pxfc-q72v-jh8m (Critical, CVSS 9.9) — dialplan template parameter injection in fm_dialplan_apply
  • GHSA-9xf5-9ghq-p6cw (High, CVSS 7.4) — API tokens stored plaintext in oc_api_tokens
  • GHSA-3p65-2prr-cfvf (Medium, CVSS 6.5) — plaintext credentials persisted to oc_audit_log
  • GHSA-f5jv-9rh8-gq7c (Medium, CVSS 6.5) — fm_update_extension silently wiped voicemail/Userman data

Upgrade notes

  • Existing API tokens continue to authenticate without re-issuance. The install.php migration hashes existing rows in place; the raw value users have stored maps to the new prefixed-hash format.
  • Historical oc_audit_log scrub is irreversible. If you have compliance reasons to preserve the pre-patch audit log contents, back it up encrypted before upgrading.
  • fm_audit_search now requires PERM_ADMIN. Read-tier API tokens that previously could query the audit log will be rejected. Re-issue with admin scope if needed.
  • fm_dialplan_apply now validates template parameters strictly. Existing legitimate templates work unchanged; payloads with newlines, backticks, or ${...} placeholders in URLs are rejected.

SECURITY.md was added at the repo root pointing at GitHub's private vulnerability report form for future disclosures.

Thanks to the FreePBX community member whose AI-assisted code review surfaced the originals.