The Kamailio SIP Server project has released two security advisories on April 7, 2026. You can find the details here:
- CVE-2026-39863: Core – TCP Data Processing Vulnerability (high)
- CVE-2026-39864: Auth – Processing Vulnerability For Additional Authenticated User Identity Checks (moderate)
We strongly suggest updating your Kamailio installation to the latest stable version.
The issues were found over the last few months and fixed quickly. The code related to these issues is a bit old, and we have not seen anyone exploit these vulnerabilities yet. But now that the CVE reports are out, there might be a higher chance of someone trying to use them.
If you have any private thoughts about these advisories or want to report any new security problems, please reach out to security [at] lists.kamailio.org.
Thanks for flying Kamailio!