#VU122440 XML External Entity injection in Asterisk Open Source and Certified Asterisk - CVE-2026-23739
Published: February 6, 2026
Vulnerability identifier: #VU122440
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23739
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Asterisk Open Source
Certified Asterisk
Asterisk Open Source
Certified Asterisk
Software vendor:
Digium (Linux Support Services)
Digium (Linux Support Services)
Description
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input within the ast_xml_open() function in xml.c. A remote privileged user can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
The vendor underlines that Asterisk currently doesn't allow untrusted or user-supplied XML to be used but a fix should be made in case that changes in the future.
Remediation
Install updates from vendor's website.