Anyone using the API module for GraphQL management of their FreePBX systems – including any test instances – should thoroughly review these two CVEs and upgrade their api module on all currently supported versions of FreePBX (v16 and v17 at time of this posting.)
Below is the warning image that you should see in the FreePBX Dashboard regarding these updates as well as the backup module (which also saw a security fix today - CVE-2026-26978.) If you don’t see either of these updates and your system did not update (automatically) to the latest fixed versions – api 16.0.18 / 17.0.8 and backup 16.0.71 / 17.0.6 – then please let us know, and double check your MODULE_REPO setting as this may be causing issues:
$ fwconsole setting MODULE_REPO
