Insufficient Granularity of Access Control in Asterisk Open Source and Certified Asterisk - CVE-2026-57202
Published: June 26, 2026
Vulnerability identifier: #VU135552
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-57202
CWE-ID: CWE-1220
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Digium (Linux Support Services)
Affected software:
Asterisk Open Source
Certified Asterisk
Asterisk Open Source
Certified Asterisk
Detailed vulnerability description
The vulnerability allows a remote user to perform unauthorized file writes.
The vulnerability exists due to insufficient granularity of access control in the ARI setChannelVar functionality when handling requests to set channel variables using the FILE() dialplan function. A remote user can send a specially crafted request to perform unauthorized file writes.
The Asterisk HTTP webserver must be enabled, and the issue is reachable only if the attacker can connect to that server. Valid read-only ARI credentials are required.
How to mitigate CVE-2026-57202
Install security update from vendor's website.