CVE-2026-46513

Source
https://cve.org/CVERecord?id=CVE-2026-46513
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46513.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46513
Aliases
  • GHSA-9xf5-9ghq-p6cw
Published
2026-07-16T18:14:05.454Z
Modified
2026-07-17T03:45:43.449001794Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Frogman: API tokens stored in plaintext
Details

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, Frogman stored API tokens generated by Tools/CreateApiToken.php:33-36 as raw bin2hex(randombytes(32)) strings in ocapi_tokens, and Frogman.class.php:78 authenticated the X-Frogman-Token header by comparing it with the stored raw value, allowing database read access to recover reusable active tokens at their assigned permission level, including admin. This issue is fixed in version 1.6.2.

Database specific
{
    "cwe_ids": [
        "CWE-256"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46513.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/mwtcmi/frogman

Affected ranges

Type
GIT
Repo
https://github.com/mwtcmi/frogman
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.6.2"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v1.*
v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.3.0
v1.3.1
v1.4.0
v1.4.1
v1.5.0
v1.6.0
v1.6.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46513.json"