CVE-2026-44329
CRITICALfree5GC: SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers
Title source: cnaDescription
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab this was directly demonstrated for read (GET /upi/v1/upNodesLinks), write (POST /upi/v1/upNodesLinks with attacker-controlled UP-node and link payload), and delete (DELETE /upi/v1/upNodesLinks/{nodeID}) operations. This vulnerability is fixed in 4.2.2.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/free5gc/free5gc/security/advisories/GHSA-3258-qmv8-frp3
X_Refsource_Misc x_refsource_misc
https://github.com/free5gc/free5gc/issues/887
X_Refsource_Misc x_refsource_misc
https://github.com/free5gc/smf/pull/197
X_Refsource_Misc x_refsource_misc
https://github.com/free5gc/smf/commit/e23ce97565f285eb99eed153743c62bf4c767c6e
Scores
CVSS v3
10.0
EPSS
0.0031
EPSS Percentile
21.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-306
CWE-862
Status
published
Products (2)
free5gc/free5gc
< 4.2.2 (2 CPE variants)
free5gc/smf
0 - 1.4.3Go
Published
May 27, 2026
Tracked Since
May 27, 2026