CVE-2026-44329
CRITICAL
10,0
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: changed
Confidentiality: low
Integrity: high
Availability: high
Description
AI Translation Available
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab this was directly demonstrated for read (GET /upi/v1/upNodesLinks), write (POST /upi/v1/upNodesLinks with attacker-controlled UP-node and link payload), and delete (DELETE /upi/v1/upNodesLinks/{nodeID}) operations. This vulnerability is fixed in 4.2.2.
306
Missing Authentication for Critical Function
DraftCommon Consequences
Security Scopes Affected:
Access Control
Other
Potential Impacts:
Gain Privileges Or Assume Identity
Varies By Context
Applicable Platforms
Technologies:
Cloud Computing, ICS/OT
862
Missing Authorization
IncompleteCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Access Control
Availability
Potential Impacts:
Read Application Data
Read Files Or Directories
Modify Application Data
Modify Files Or Directories
Gain Privileges Or Assume Identity
Bypass Protection Mechanism
Dos: Crash, Exit, Or Restart
Dos: Resource Consumption (Cpu)
Dos: Resource Consumption (Memory)
Dos: Resource Consumption (Other)
Applicable Platforms
Technologies:
AI/ML, Web Server, Database Server, Not Technology-Specific
https://github.com/free5gc/free5gc/issues/887
https://github.com/free5gc/free5gc/security/advisories/GHSA-3258-qmv8-frp3
https://github.com/free5gc/smf/commit/e23ce97565f285eb99eed153743c62bf4c767c6e
https://github.com/free5gc/smf/pull/197