Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab this was directly demonstrated for read (GET /upi/v1/upNodesLinks), write (POST /upi/v1/upNodesLinks with attacker-controlled UP-node and link payload), and delete (DELETE /upi/v1/upNodesLinks/{nodeID}) operations. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authentication and authorization guard on free5GC’s SMF UPI management endpoints allows an attacker with network reach to the Service Specific Interface (SBI) to issue GET, POST, and DELETE requests without an Authorization header. These unauthenticated requests are processed by the SMF business handlers, enabling read of topology details, creation of new UP‑node and link entries, and deletion of existing topology objects. The weakness is captured by CWE‑306 and CWE‑862. The lack of credential checks means an attacker can directly alter the network’s topology configuration when targeting the SMF UPI routes.

Affected Systems

The vulnerability is present in all releases of free5GC free5gc before version 4.2.2, specifically affecting the SMF component’s UPI management interface. The issue was resolved in commit e23ce97565f285eb99eed153743c62bf4c767c6e and incorporated in the 4.2.2 release.

Risk and Exploitability

The CVSS score of 10 indicates a critical severity, but the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly disclosed exploitation yet. Nonetheless, because any network‑reachable entity can send unauthenticated requests to the SMF SBI, the exploitation likelihood is high for environments that expose or do not adequately isolate these interfaces. Successful exploitation would permit an attacker to read sensitive network state or modify node/link relationships, potentially leading to service disruption or degradation of network availability.

Generated by OpenCVE AI on May 27, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5GC to version 4.2.2 or later to enable authentication middleware on the SMF UPI routes.
  • If an upgrade is not immediately possible, restrict inbound traffic to the SMF SBI interface using firewall rules or network segmentation to allow only trusted core network peers.
  • Apply the upstream patch commit e23ce97565f285eb99eed153743c62bf4c767c6e or an equivalent fix to add the missing authentication middleware before deploying the new release.

Generated by OpenCVE AI on May 27, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3258-qmv8-frp3 free5GC's SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers
History

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab this was directly demonstrated for read (GET /upi/v1/upNodesLinks), write (POST /upi/v1/upNodesLinks with attacker-controlled UP-node and link payload), and delete (DELETE /upi/v1/upNodesLinks/{nodeID}) operations. This vulnerability is fixed in 4.2.2.
Title free5GC: SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers
Weaknesses CWE-306
CWE-862
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T15:00:50.844Z

Reserved: 2026-05-05T19:00:06.023Z

Link: CVE-2026-44329

cve-icon Vulnrichment

Updated: 2026-05-28T15:00:36.593Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T17:16:38.490

Modified: 2026-06-17T10:50:30.810

Link: CVE-2026-44329

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:30:05Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function

  • CWE-862

    Missing Authorization