VitalPBX 4.5.3 R7: Security Patches & New Features

VitalPBX 4.5.3 R7, released June 24, 2026, is a focused but high-impact update that every administrator running VitalPBX should apply promptly. The release leads with mandatory NGINX security patches addressing two critical CVEs, then layers in practical additions — a new PJSIP endpoint filter, expanded trunk controls, drag-and-drop certificate uploads, and a meaningful fix for multi-tenant call traffic reporting.

Whether you’re managing a single business PBX or a multi-tenant deployment for dozens of clients, this update tightens security, adds visibility into your SIP infrastructure, and improves real-time communication performance. Here’s everything that changed and why it matters.

Critical Security Update: NGINX CVE Patches (Act Now)

The most urgent change in 4.5.3 R7 is the enforced upgrade of NGINX to version 1.22.1-9+deb12u8 or higher, specifically to address two critical vulnerabilities:

  • CVE-2026-9256 — A remotely exploitable vulnerability in the NGINX HTTP processing layer
  • CVE-2026-42946 — A critical flaw affecting NGINX request handling that could allow unauthorized access or denial of service

These CVEs carry critical severity ratings. If your VitalPBX server is internet-facing — and most are — leaving NGINX unpatched puts your PBX infrastructure at risk. Updating to 4.5.3 R7 enforces the minimum safe NGINX version and mitigates both vulnerabilities automatically during the update process.

What to do: Update your VitalPBX installation to 4.5.3 R7 as soon as possible. For multi-tenant deployments, apply the update across all nodes. Refer to the VitalPBX Wiki — Update Guide for step-by-step instructions.

What’s New in VitalPBX 4.5.3 R7

Registration Status Filter for PJSIP Endpoints

The PJSIP Endpoints report now includes a registration status filter, making it faster to identify which devices are actively registered versus offline or unreachable.

For administrators managing deployments with dozens or hundreds of extensions, this removes the need to scroll through a full endpoint list. Filter by “registered,” “unregistered,” or “unknown” to quickly isolate connectivity issues — useful during troubleshooting or after a network change when you need to confirm all devices came back online.

New PJSIP Trunk Parameters: support_path and fatal_retry_interval

Two previously hidden PJSIP trunk parameters are now configurable directly from the VitalPBX interface:

  • support_path — Enables Path header support on SIP registrations, which is required by some SIP trunk providers for correct routing when the PBX sits behind NAT or a SIP proxy.
  • fatal_retry_interval — Controls how long VitalPBX waits before retrying a trunk registration after a fatal failure response (such as a 403 or 503). Tuning this prevents aggressive retry loops that could trigger rate limiting at your SIP provider.

These parameters have always been available in Asterisk’s PJSIP configuration but required manual file editing or custom dialplan work to set. Exposing them in the UI makes trunk troubleshooting and fine-tuning significantly more accessible.

Drag-and-Drop Certificate File Uploads

Uploading custom SSL/TLS certificates now supports drag-and-drop directly in the interface. Previously, certificate file uploads required the standard file browser dialog. This small UX improvement speeds up the process, particularly when managing multiple tenant certificates in a multi-tenant deployment.

Extensions API Now Returns SMS Connection Details

The extensions API read endpoint has been updated to populate and return SMS connection numbers and provider details alongside standard extension data. Developers and integrations relying on the VitalPBX API to sync extension data — such as CRM connectors, provisioning systems, or custom portals — will now receive complete SMS-related context without requiring a separate API call.

Improvements in 4.5.3 R7

OpenSSL-Based Certificate Chain Verification

VitalPBX now performs OpenSSL-based certificate chain verification when custom certificates are submitted. The system validates the full certificate chain — from leaf to root CA — before accepting the configuration. This prevents common misconfigurations like incomplete certificate chains or mismatched intermediate certificates that would otherwise cause TLS handshake failures and confusing error messages downstream.

If a certificate chain is invalid, VitalPBX will reject it at upload time rather than silently accepting it and failing later in production.

WebSocket Proxy Optimization for Real-Time Streaming

NGINX proxy settings have been updated and a specialized WebSocket proxy has been configured to handle real-time event streaming more reliably. This directly benefits any feature that relies on persistent WebSocket connections — including Vitxi (the WebRTC softphone), Sonata Switchboard, and live call monitoring dashboards.

In environments with high concurrent WebSocket sessions, the previous general-purpose proxy configuration could introduce instability. The dedicated WebSocket proxy resolves this and improves connection stability under load.

FastAGI for Dynamic Routing — Faster Call Processing

Dynamic routing dialplan configuration has been updated to use FastAGI actions instead of the previous AGI mechanism. FastAGI uses a persistent TCP connection to the AGI server rather than spawning a new process per call, which meaningfully reduces latency in dynamic routing lookups.

For deployments that rely heavily on dynamic routing — particularly call centers and multi-tenant environments with complex inbound routing rules — this change reduces the per-call overhead and improves responsiveness when routing decisions need to be made in real time.

Bug Fix: Multi-Tenant Call Traffic Now Displays Correctly

A reporting bug has been resolved: the main tenant’s call traffic view now correctly displays calls across all tenants instead of showing only the main tenant’s own traffic. This affected administrators using the main tenant dashboard to get a system-wide call volume picture. The fix ensures accurate, consolidated call traffic reporting at the top level.

Frequently Asked Questions

What CVEs does VitalPBX 4.5.3 R7 patch?

VitalPBX 4.5.3 R7 enforces NGINX version 1.22.1-9+deb12u8 or higher to address two critical vulnerabilities: CVE-2026-9256 and CVE-2026-42946. Both affect the NGINX layer that VitalPBX uses as its web server and reverse proxy. These CVEs are rated critical severity, and the update applies the patch automatically when you upgrade to 4.5.3 R7. All VitalPBX administrators — particularly those running internet-facing servers — should apply this update immediately.

Do I need to update to 4.5.3 R7 right away?

Yes, if your VitalPBX server is accessible from the internet. The NGINX CVE patches included in this release address critical vulnerabilities, which means exploitation risk is significant without the patch. For air-gapped or strictly internal deployments the urgency is lower, but the update still brings meaningful improvements to routing performance, certificate validation, and multi-tenant reporting that are worth applying promptly.

What is the new PJSIP registration status filter and how do I use it?

The registration status filter is a new dropdown in the PJSIP Endpoints report that lets you filter extensions by their current registration state: registered, unregistered, or unknown. To use it, navigate to Reports → PJSIP Endpoints and select a status from the filter menu. This is particularly useful after network events to confirm which extensions have reconnected, or during initial setup to verify provisioned devices are registering successfully.

What does exposing support_path and fatal_retry_interval on PJSIP trunks mean for my setup?

These are advanced SIP trunk parameters that were previously only configurable by editing Asterisk configuration files directly. support_path enables Path header support for registrations — required by some trunk providers when the PBX is behind NAT or a SIP proxy. fatal_retry_interval sets the delay before VitalPBX retries a trunk registration after a fatal failure, preventing excessive retry loops. Both are now available in the PJSIP Trunks configuration screen. If your trunks are working correctly, you don’t need to change anything; these parameters are for specific provider requirements or troubleshooting scenarios.

How does the FastAGI improvement affect call routing performance?

FastAGI replaces the standard AGI mechanism for dynamic routing dialplan execution. Standard AGI spawns a new process for each call that requires a routing lookup, which adds latency and resource overhead at scale. FastAGI maintains a persistent TCP connection to the AGI server, eliminating process startup overhead. In practice, this means faster routing decisions — especially noticeable in high-call-volume environments or deployments with complex dynamic routing rules where every millisecond of processing time affects caller experience.

What changed in the extensions API?

The extensions API read endpoint now returns SMS connection numbers and provider details in its response payload. Previously, this data was not included, requiring developers to make additional API calls or manually cross-reference SMS configuration. With 4.5.3 R7, any system polling the extensions API — provisioning platforms, CRM integrations, or custom admin portals — receives complete extension data including SMS context in a single request.

Update to VitalPBX 4.5.3 R7 Today

This release combines urgency (critical security patches) with practical improvements that make VitalPBX easier to operate and more performant under load. The NGINX CVE fixes alone make this a mandatory update for production deployments.

Ready to upgrade? Visit the VitalPBX Wiki for the update guide. If you’re not yet on VitalPBX and want to see what a modern, award-winning open-source PBX looks like in action, explore the plans or book a demo with the team.

Our Latest Post