CRITICAL🇵🇱 Wersja polska

CVE-2026-44329

CVSS 10.0v3.1pub. 2026-05-27upd. 2026-05-28

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab this was directly demonstrated for read (GET /upi/v1/upNodesLinks), write (POST /upi/v1/upNodesLinks with attacker-controlled UP-node and link payload), and delete (DELETE /upi/v1/upNodesLinks/{nodeID}) operations. This vulnerability is fixed in 4.2.2.

🤖 AI Analysis
How it works

The SMF component mounts a UPI management route group without middleware verifying OAuth2/bearer token. This means HTTP requests go directly to SMF business handlers, bypassing any identity control. In a Docker environment, it was confirmed that GET /upi/v1/upNodesLinks (read), POST /upi/v1/upNodesLinks with arbitrary attacker payload (write), and DELETE /upi/v1/upNodesLinks/{nodeID} (delete) operations are possible. The vulnerability results from missing authorization mechanisms (CWE-306: missing authentication for critical function, CWE-862: missing authorization verification).

Impact

An attacker with access to the SBI interface can read, modify, or delete User Plane node and connection configuration without authentication, which may lead to disruption or complete interruption of user traffic in the 5G core network and unauthorized takeover of User Plane topology control.

Mitigation & patch

The SMF component should be updated to version 4.2.2, which introduces a fix adding required OAuth2/bearer-token authorization on UPI endpoints. Patch available in the repository: commit e23ce97565f285eb99eed153743c62bf4c767c6e in the free5gc/smf project. Until the update is applied, restrict network access to the SBI interface exclusively to trusted hosts using firewall or network rules.

Who is affected

free5GC SMF in all versions prior to 4.2.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
  • Free5gc

    APP
    Free5Gc
    < 4.2.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References

Related vulnerabilities

CVE-2026-44330CRITICAL10.0PL ✓ten sam produkt

free5GC NEF: brak autoryzacji OAuth2 na trasach nnef-pfdmanagement

CVE-2026-44327CRITICAL10.0PL ✓ten sam produkt

Brak autoryzacji OAuth2 w grupie tras OAM w free5GC NEF (5G core)

CVE-2026-44326CRITICAL9.4PL ✓ten sam produkt

Brak autoryzacji OAuth2 w API NEF systemu free5GC (5G core)

CVE-2026-44315CRITICAL9.4PL ✓ten sam produkt

Brak autoryzacji OAuth2 w NEF API sieci 5G (free5GC)

CVE-2023-4659CRITICAL9.8ten sam produkt

Cross-Site Request Forgery vulnerability, whose exploitation could allow an attacker to perform different acti...