CVE-2026-44329

CRITICAL EPSS 24.8%
Published May 27, 20261mo ago · Modified Jun 17, 20262w ago
10.0 CVSS 3.1
Critical
Find Similar
Published May 27, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab this was directly demonstrated for read (GET /upi/v1/upNodesLinks), write (POST /upi/v1/upNodesLinks with attacker-controlled UP-node and link payload), and delete (DELETE /upi/v1/upNodesLinks/{nodeID}) operations. This vulnerability is fixed in 4.2.2.

CVSS Details

Base Score
10.0
Exploitability
3.9
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Low
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
24.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-306 Missing Authentication for Critical Function Authentication
CWE-862 Missing Authorization Authorization

Affected Products 1

VendorProductVersionRange
free5gcfree5gc* <4.2.2

References 4

  • github.com https://github.com/free5gc/free5gc/issues/887
    ExploitIssue Tracking
  • github.com https://github.com/free5gc/free5gc/security/advisories/GHSA-3258-qmv8-frp3
    ExploitVendor Advisory
  • github.com https://github.com/free5gc/smf/commit/e23ce97565f285eb99eed153743c62bf4c767c6e
    Patch
  • github.com https://github.com/free5gc/smf/pull/197
    Issue TrackingPatch

Remediation

  • github.com https://github.com/free5gc/smf/commit/e23ce97565f285eb99eed153743c62bf4c767c6e
    Patch
  • github.com https://github.com/free5gc/smf/pull/197
    Issue TrackingPatch