PT-2026-39259 · Free5Gc · Free5Gc
Linziyuu
·
Published
2026-05-08
·
Updated
2026-05-28
·
CVE-2026-44329
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
free5GC version 4.2.1
Description
The Session Management Function (SMF) mounts the
UPI management route group without OAuth2 or bearer-token authorization middleware. This allows a network attacker with access to the Service Based Interface (SBI) to perform unauthorized operations by sending requests without an Authorization header. The issue is specific to the UPI route group, as other groups like nsmf-oam are correctly protected.Technical details include the ability to perform the following operations:
- Read operations via the endpoint '/upi/v1/upNodesLinks'.
- Write operations via the endpoint '/upi/v1/upNodesLinks' using a
POSTrequest to inject attacker-controlled UPF nodes and link payloads. - Delete operations via the endpoint '/upi/v1/upNodesLinks/{nodeID}'.
This lack of authentication enables an attacker to read the UP-plane topology, poison the SMF's view of UPFs to bias PDU session selection, or disrupt legitimate UPF participation through deletions.
Exploit
Fix
Missing Authorization
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Free5Gc