FreePBX API Module OAuth2 Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in the FreePBX API module's OAuth2 implementation, prior to version 17.0.8. The issue arises because the implementation does not properly validate client credentials during token issuance. Specifically, the validateClient() method in ClientRepository.php always returns true, allowing anyone with knowledge of a valid client_id to obtain OAuth2 access tokens without the corresponding client_secret. This vulnerability requires the API module to be installed with at least one OAuth2 application configured.

Impact

Exploitation of this vulnerability allows an attacker to obtain OAuth2 access tokens via the client_credentials grant, without needing the client_secret. Tokens obtained in this way, with the default gql scope, provide full read/write access to all GraphQL mutations and queries.

Remediation

Users are advised to update the API module to the latest version. Additionally, ensure that only authorized users have access to the FreePBX Administrator Control Panel, and consider using the FreePBX User Management, SysAdmin VPN, MFA or SAML modules for added security. It is also recommended to deny access from hostile networks to the ACP using the FreePBX Firewall module, and to maintain secure control of backups.