Auth bypass in Mwtcmi Frogman

CVE-2026-46515

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERM_READ access was sufficient to call fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup_status, fm_whos_calling, fm_run_saved_…

Vulnerability class: Broken Access Control

Affected products

Weakness classification (CWE)

References