CVE-2026-49843
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk18th percentile - higher than 18% of all known CVEs
Summary
In versions prior to 1.11.1, the mod_verto module in FreeSWITCH had a JSON-RPC handling issue that allowed binding a connection to a client-supplied session ID before authentication. This could lead to an unauthorized attacker evicting a legitimate client by knowing the session UUID.
Risk Assessment
The organization may be exposed to attacks that allow unauthorized users to evict authorized clients, potentially leading to communication disruptions and data loss.
Recommendation
It is recommended to upgrade to version 1.11.1 or later to mitigate this vulnerability and secure the system against potential attacks.
Original NVD description (English source)
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's JSON-RPC handler bound the connection to the client-supplied sessid on the first frame, before the authentication gate. Binding inserts the connection into the global session hash and, on a key collision, drops the prior occupant of that slot — sending it a verto.punt, detaching its calls, and closing its socket. An unauthenticated network attacker who knows a target session UUID could therefore evict the legitimate client. This issue has been patched in version 1.11.1.

