v1.6.3 β security release (privilege-scoping advisory)
v1.6.3 β security release + post-v1.6.1 bug-fix sweep
219 tools (unchanged from v1.6.2). All open issues in the post-v1.6.1 review queue closed.
Security
GHSA-q4c4-5cr4-8q47 β High (CVSS 7.1) β privilege-scoping pattern. Eight tools were inheriting PERM_READ despite surfacing admin-grade data or performing admin-grade operations. Read-tier callers could pull AMI manager credentials, outbound dial PINs, full dialplan, root SSH connection commands, backup paths, CDR/PII, execute arbitrary saved GraphQL (including mutations), and recover SIP trunk passwords from raw AMI endpoint dumps.
Fixed:
- 7 tools bumped to
PERM_ADMIN(#13) βfm_list_managers,fm_list_pinsets,fm_show_context,fm_get_mcp_config,fm_backup_status,fm_whos_calling,fm_run_saved_query fm_diagnose_trunkbumped toPERM_ADMINAND adds line-level redaction of credential-bearing fields (password,md5_cred,oauth_secret,refresh_token,dtls_private_key, plus pattern catch-alls) from the AMI endpoint dump (#25). Defense in depth β admin-tier callers also shouldn't have plaintext credentials persisted in audit rows indefinitely.
Real-world exposure at disclosure time was nil (no PERM_READ tokens in active use on any known deployment). Fix landed proactively.
Bug fixes
- #15 β
fm_did_destination_map/fm_list_all_didsrendered every queue as the unnamedQueue NNNlabel.AbstractTool::describeDestination()queriedqueues_configwithWHERE keyword='descr', which is the schema ofqueues_details. Now queriesqueues_config.descrdirectly. - #11 β every conference chat command (
who's in conference X,kick,mute/unmute,lock/unlock) returned "Parameter 'room' is required" and never reached its tool. ChatParser built params withid/state; tools expectedroom/action. Same fix also correctedunmutesilently muting andunlocksilently locking. - #12 β Confbridge tools accepted any string for
room,channel,action.ConfbridgeListLive'sroomflowed into a line-framed AMI Command β a newline could disturb parsing. Now allowlist-validated across all 5 tools. - #21 β three write tools accepted free-text inputs that should have been allowlisted:
ToggleTimecondition.state,UpdateSipNat.external_ip+local_network,SetCallForward.type. Now validated (IP-or-FQDN for external IP, CIDR-list for local network, allowlists for the rest). - #1 (closed via this release) β README now has an explicit "Other MCP clients" subsection naming Claude Desktop, Claude Code, Cursor, Windsurf as tested with the same SSH-transport pattern, plus a pointer to INTEGRATION.md for non-MCP integrations.
Web-console behavior change
Non-admin web-console users (sessions without admin in oc_permissions) will be denied access to four chat-exposed tools: fm_audit_search, fm_get_mcp_config, fm_backup_status, fm_whos_calling. The chat console's live audit panel is unaffected β it uses a separate handleAuditFeed() endpoint. Sites that need read-tier users to access any of these can grant admin via set permission <user> to admin.
Install
URL=$(curl -s https://api.github.com/repos/mwtcmi/frogman/releases/latest | grep browser_download_url | grep '\.tgz' | cut -d'"' -f4)
fwconsole ma downloadinstall "$URL"
fwconsole reload