CVE-2026-44329
CRITICAL EPSS 24.8%
Published May 27, 20261mo ago · Modified Jun 17, 20262w ago
10.0 CVSS 3.1
Published May 27, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago
Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab this was directly demonstrated for read (GET /upi/v1/upNodesLinks), write (POST /upi/v1/upNodesLinks with attacker-controlled UP-node and link payload), and delete (DELETE /upi/v1/upNodesLinks/{nodeID}) operations. This vulnerability is fixed in 4.2.2.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Low
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
24.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 2
CWE-306 Missing Authentication for Critical Function Authentication
CWE-862 Missing Authorization Authorization
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| free5gc | free5gc | * | <4.2.2 |
References 4
- github.com https://github.com/free5gc/free5gc/issues/887
- github.com https://github.com/free5gc/free5gc/security/advisories/GHSA-3258-qmv8-frp3
- github.com https://github.com/free5gc/smf/commit/e23ce97565f285eb99eed153743c62bf4c767c6e
- github.com https://github.com/free5gc/smf/pull/197
Remediation
- github.com https://github.com/free5gc/smf/commit/e23ce97565f285eb99eed153743c62bf4c767c6e
- github.com https://github.com/free5gc/smf/pull/197