Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI. In NewServer(), the smPolicyGroup route group is created and routes are applied without attaching the router authorization middleware. In contrast, other PCF service groups such as Npcf_PolicyAuthorization do attach RouterAuthorizationCheck before route registration. Because the middleware is missing, requests to the /npcf-smpolicycontrol/v1/sm-policies, /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}, /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/update, and /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete endpoints can reach business logic even when no valid OAuth token is provided. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The PCF Npcf_SMPolicyControl service fails to attach authentication middleware when registering its SM‑policy route group, which creates a classic authentication bypass (CWE‑862). As a result, HTTP requests to endpoints such as "/npcf-smpolicycontrol/v1/sm-policies" and related management paths can reach the business logic without any valid OAuth token, allowing an attacker to retrieve or alter subscriber session‑management policies and to expose the subscriber’s SUPI. The absence of authentication directly compromises subscriber confidentiality and enables unauthorized control of core‑network functions.

Affected Systems

This vulnerability affects the free5GC PCF component, version 4.2.1 and earlier, in the free5gc:free5gc open‑source implementation of the 5G core network. Deployments running a pre‑4.2.2 build expose SM‑policy endpoints to unauthenticated traffic.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. Based on the description, it is inferred that an attacker who can reach the PCF service—whether from a compromised user equipment, a malicious internal node, or an external host if the endpoint is exposed—can issue unauthenticated requests with no additional exploits or privileges. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalogue, but the combination of an authentication bypass and publicly reachable endpoints makes this a low‑effort, high‑impact flaw.

Generated by OpenCVE AI on May 27, 2026 at 21:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5GC to version 4.2.2 or later to install the missing authentication middleware.
  • Ensure all PCF endpoints enforce OAuth token validation and reject unauthenticated requests before processing business logic.
  • Apply network segmentation or firewall rules to restrict access to the SM‑policy endpoints so that only trusted core‑network components can reach them.

Generated by OpenCVE AI on May 27, 2026 at 21:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6rgm-gr97-x3j5 Free5GC PCF: Missing authentication middleware in Npcf_SMPolicyControl allows access to SM policy handlers and disclosure of subscriber SUPI
History

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI. In NewServer(), the smPolicyGroup route group is created and routes are applied without attaching the router authorization middleware. In contrast, other PCF service groups such as Npcf_PolicyAuthorization do attach RouterAuthorizationCheck before route registration. Because the middleware is missing, requests to the /npcf-smpolicycontrol/v1/sm-policies, /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}, /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/update, and /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete endpoints can reach business logic even when no valid OAuth token is provided. This vulnerability is fixed in 4.2.2.
Title free5GC: PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:47:55.216Z

Reserved: 2026-04-23T19:17:30.566Z

Link: CVE-2026-42083

cve-icon Vulnrichment

Updated: 2026-05-27T17:46:20.117Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-27T17:16:35.327

Modified: 2026-05-27T19:51:27.110

Link: CVE-2026-42083

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T21:15:25Z

Weaknesses