PatchSiren cyber security CVE debrief
CVE-2026-42083 free5gc CVE debrief
free5GC prior to version 4.2.2 contains a missing authentication vulnerability in the PCF (Policy Control Function) Npcf_SMPolicyControl service. The smPolicyGroup route group is registered without the RouterAuthorizationCheck middleware, allowing unauthenticated network requests to reach SM policy business logic. Affected endpoints include /npcf-smpolicycontrol/v1/sm-policies and related sub-resources. This contrasts with other PCF service groups such as Npcf_PolicyAuthorization, which correctly apply authorization middleware. Successful exploitation can result in disclosure of subscriber SUPI (Subscription Permanent Identifier) and unauthorized policy manipulation. The vulnerability is classified as CWE-862 (Missing Authorization).
- Vendor
- free5gc
- Product
- Unknown
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Telecommunications operators deploying free5GC-based 5G core networks; security teams managing mobile core infrastructure; NFV orchestration teams; compliance auditors assessing 5G network security controls
Technical summary
The free5GC PCF component's NewServer() function creates the smPolicyGroup route group and registers handlers for /npcf-smpolicycontrol/v1/sm-policies endpoints without attaching the RouterAuthorizationCheck middleware. This architectural inconsistency—present in other PCF service groups like Npcf_PolicyAuthorization—permits unauthenticated HTTP requests to execute SM policy business logic. The vulnerability exposes subscriber SUPI and enables unauthorized policy operations. The fix in version 4.2.2 adds the missing middleware to enforce OAuth token validation.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade free5GC to version 4.2.2 or later to obtain the authentication middleware fix
- Verify that all PCF service route groups, particularly Npcf_SMPolicyControl endpoints, enforce RouterAuthorizationCheck middleware
- Review access logs for unauthenticated requests to /npcf-smpolicycontrol/v1/sm-policies and sub-resources prior to upgrade
- Implement network segmentation to restrict PCF service exposure to authorized NF (Network Function) entities only
- Monitor for anomalous SM policy creation, modification, or deletion events that may indicate exploitation
- Apply principle of least privilege for inter-NF communication within the 5G core service mesh
Evidence notes
CVE description confirms missing RouterAuthorizationCheck middleware in NewServer() for smPolicyGroup routes. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N supports network-exploitable, low-complexity unauthenticated access with high confidentiality impact. GitHub Security Advisory GHSA-6rgm-gr97-x3j5 and commit 8c4d457cdf58bb239ee30e88c56b370b22073964 provide fix confirmation. NVD status 'Undergoing Analysis' indicates ongoing assessment.
Official resources
2026-05-27