CVE-2026-49843 MEDIUM

CVE-2026-49843: FreeSWITCH: Pre-authentication session eviction via attacker-chosen `sessid` in `mod_verto`

Vendor Signalwire
Product freeswitch
Weakness CWE-287 · Improper authentication
Published June 9, 2026
Last update June 10, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's JSON-RPC handler bound the connection to the client-supplied sessid on the first frame, before the authentication gate. Binding inserts the connection into the global session hash and, on a key collision, drops the prior occupant of that slot — sending it a verto.punt, detaching its calls, and closing its socket. An unauthenticated network attacker who knows a target session UUID could therefore evict the legitimate client. This issue has been patched in version 1.11.1.

Key dates

02Disclosure timeline

June 9, 2026 CVE published
June 10, 2026 Record updated