Main Vulnerability Database Vulnerabilities #VU135556

Path traversal in Asterisk Open Source and Certified Asterisk - CVE-2026-57200

Published: June 26, 2026

Vulnerability identifier: #VU135556

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-57200

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Digium (Linux Support Services)

Affected software:
Asterisk Open Source
Certified Asterisk

Detailed vulnerability description

The vulnerability allows a remote user to execute write operations and conditionally execute arbitrary code.

The vulnerability exists due to improper access control and path traversal in the ARI REST-over-WebSocket feature when handling authenticated WebSocket requests. A remote user can send crafted requests to load an arbitrary module path and execute write operations and conditionally execute arbitrary code.

The Asterisk HTTP web server must be enabled, and the attacker must be able to connect to it. The issue affects read-only ARI credentials.

How to mitigate CVE-2026-57200

Install security update from vendor's website.

Sources

https://github.com/asterisk/asterisk/security/advisories/GHSA-wcvv-g26m-wx5c

Path traversal in Asterisk Open Source and Certified Asterisk - CVE-2026-57200

Detailed vulnerability description

How to mitigate CVE-2026-57200

Sources

Please verify you're human