Back to overview

CVE-2026-46515

CRITICAL
9.3
CVSS 4.0
Description
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERM_READ access was sufficient to call fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup_status, fm_whos_calling, fm_run_saved_query, and fm_diagnose_trunk, exposing AMI manager secrets, outbound dial PINs, full Asterisk dialplan context, root SSH connection commands, backup artifact paths, CDR history, arbitrary saved GraphQL query execution, and raw AMI endpoint dumps containing SIP fields such as password, md5_cred, and oauth_secret. This issue is fixed in version 1.6.3.

Metadata

CVE ID
CVE-2026-46515
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-14 19:12 UTC
Published
2026-07-16 18:17 UTC
Last updated
2026-07-16 18:29 UTC
Primary CWE
CWE-862
CWE-862: Missing Authorization
Vendor / Product
mwtcmi / frogman
Sources
cve.org  ·  NVD

Severity & Metrics

9.3 CRITICAL CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
mwtcmi frogman < 1.6.3
Weakness (CWE)
CWESourceDescription
CWE-862 cna CWE-862: Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.3 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
References (6)
Back to overview