Security Advisory - Published 2026-06-17 - OpenSIPS Control Panel

CVE-2026-36670: check OpenSIPS Control Panel before 9.3.3

CVE-2026-36670 affects OpenSIPS Control Panel before 9.3.3. The reported issue is SQL injection in the alias management area. Treat internet-facing panels and shared admin accounts as the first things to review.

Defensive scope: this page is for owned VoIP infrastructure and client-approved review. It does not include SQL payloads, request samples, or instructions for testing third-party panels.

Who is affected

ProductOpenSIPS Control Panel, also known as opensips-cp
CVECVE-2026-36670
Affected rangeVersions before 9.3.3
Main riskAuthenticated SQL injection behavior in alias management
Fixed version9.3.3 or newer

Version and exposure check

find /var/www /usr/share /opt -maxdepth 5 -iname '*opensips*' -o -iname '*opensips-cp*'
grep -R "OPENSIPSCP\\|opensips-cp\\|version" /var/www /usr/share /opt 2>/dev/null | head -80
systemctl status apache2 httpd nginx php-fpm 2>/dev/null

If the control panel is reachable from the internet, put it behind VPN, SSO, or an IP allow list before deeper review. A login page still exposes the application.

Logs to review

  • Successful logins to the control panel after June 15, 2026.
  • Repeated requests to alias management pages from unfamiliar source addresses.
  • Database errors, slow queries, or unusual reads from OpenSIPS subscriber, alias, routing, or domain tables.
  • New or changed panel users, database users, SIP aliases, routing rules, and trusted gateways.
  • Outbound SIP traffic that does not match normal customers, trunks, or test ranges.

Safe fix path

  1. Upgrade OpenSIPS Control Panel to 9.3.3 or newer.
  2. Restrict the panel to a private network path and keep it out of public search results.
  3. Disable shared panel accounts and rotate administrator passwords.
  4. Review database users used by the panel. Remove broad privileges that are not needed.
  5. Preserve web, PHP, database, and SIP routing logs before deleting suspicious changes.

Signs that need incident review

  • Unknown panel sessions or logins from hosting providers, proxies, or unfamiliar countries.
  • Alias, route, trunk, gateway, or rate-plan changes that do not match a maintenance ticket.
  • Database errors around alias management followed by configuration changes.
  • Unexpected calls, registration attempts, billing spikes, or SIP traffic after the exposure window.

Repair help

Use Ping7 CVE Repair if the panel was public, administrator activity is unclear, or SIP routing changed near the advisory window. Send the panel version, web-server type, exposure status, and the first suspicious timestamp.

References