Security Advisory - Published 2026-06-17 - OpenSIPS Control Panel
CVE-2026-36670: check OpenSIPS Control Panel before 9.3.3
CVE-2026-36670 affects OpenSIPS Control Panel before 9.3.3. The reported issue is SQL injection in the alias management area. Treat internet-facing panels and shared admin accounts as the first things to review.
Who is affected
| Product | OpenSIPS Control Panel, also known as opensips-cp |
|---|---|
| CVE | CVE-2026-36670 |
| Affected range | Versions before 9.3.3 |
| Main risk | Authenticated SQL injection behavior in alias management |
| Fixed version | 9.3.3 or newer |
Version and exposure check
find /var/www /usr/share /opt -maxdepth 5 -iname '*opensips*' -o -iname '*opensips-cp*'
grep -R "OPENSIPSCP\\|opensips-cp\\|version" /var/www /usr/share /opt 2>/dev/null | head -80
systemctl status apache2 httpd nginx php-fpm 2>/dev/null If the control panel is reachable from the internet, put it behind VPN, SSO, or an IP allow list before deeper review. A login page still exposes the application.
Logs to review
- Successful logins to the control panel after June 15, 2026.
- Repeated requests to alias management pages from unfamiliar source addresses.
- Database errors, slow queries, or unusual reads from OpenSIPS subscriber, alias, routing, or domain tables.
- New or changed panel users, database users, SIP aliases, routing rules, and trusted gateways.
- Outbound SIP traffic that does not match normal customers, trunks, or test ranges.
Safe fix path
- Upgrade OpenSIPS Control Panel to 9.3.3 or newer.
- Restrict the panel to a private network path and keep it out of public search results.
- Disable shared panel accounts and rotate administrator passwords.
- Review database users used by the panel. Remove broad privileges that are not needed.
- Preserve web, PHP, database, and SIP routing logs before deleting suspicious changes.
Signs that need incident review
- Unknown panel sessions or logins from hosting providers, proxies, or unfamiliar countries.
- Alias, route, trunk, gateway, or rate-plan changes that do not match a maintenance ticket.
- Database errors around alias management followed by configuration changes.
- Unexpected calls, registration attempts, billing spikes, or SIP traffic after the exposure window.
Repair help
Use Ping7 CVE Repair if the panel was public, administrator activity is unclear, or SIP routing changed near the advisory window. Send the panel version, web-server type, exposure status, and the first suspicious timestamp.