PatchSiren cyber security CVE debrief

CVE-2026-44329 free5gc CVE debrief

free5GC's Session Management Function (SMF) component prior to version 4.2.2 exposes UPI (User Plane Infrastructure) management endpoints without requiring OAuth2 or bearer-token authentication. An unauthenticated network attacker with reachability to the SMF Service-Based Interface (SBI) can perform read, write, and delete operations on UP-node and link configurations. The vulnerability stems from the UPI route group being mounted without authorization middleware, allowing requests with no Authorization header to reach business handlers. This was demonstrated in a Docker lab environment against endpoints including GET /upi/v1/upNodesLinks, POST /upi/v1/upNodesLinks with attacker-controlled payloads, and DELETE /upi/v1/upNodesLinks/{nodeID}. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H reflects network accessibility, low attack complexity, no privileges required, no user interaction, changed scope, and high impact to integrity and availability with low confidentiality impact. The issue is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization). A fix was implemented in free5GC version 4.2.2 via commit e23ce97565f285eb99eed153743c62bf4c767c6e.

Vendor: free5gc
Product: Unknown
CVSS: CRITICAL 10
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Telecommunications operators deploying free5GC-based 5G core networks, network security teams managing 5G infrastructure, and organizations using free5GC for private 5G deployments should prioritize this vulnerability due to the critical impact on network integrity and availability.

Technical summary

The free5GC SMF component's UPI (User Plane Infrastructure) management route group was mounted without OAuth2/bearer-token authorization middleware in versions prior to 4.2.2. This architectural omission allowed unauthenticated HTTP requests to reach business handlers for UP-node and link management operations. The vulnerability affects the SBI (Service-Based Interface) exposure surface and enables complete unauthorized control over user plane topology configuration. The fix in 4.2.2 adds proper authentication middleware to the UPI route group.

Defensive priority

critical

Recommended defensive actions

Upgrade free5GC to version 4.2.2 or later to obtain the authentication middleware fix for UPI endpoints.
Verify that all SMF UPI management endpoints require valid OAuth2/bearer-token authentication headers before processing requests.
Review access controls on SMF Service-Based Interface (SBI) network segments to restrict reachability to authorized NFs and management systems only.
Audit UP-node and link configurations for unauthorized modifications if running affected versions prior to 4.2.2.
Monitor SMF access logs for requests to /upi/v1/upNodesLinks endpoints lacking Authorization headers as potential exploitation indicators.

Evidence notes

CVE description confirms unauthenticated access to UPI management endpoints in SMF prior to 4.2.2. GitHub advisory GHSA-3258-qmv8-frp3 and issue #887 provide vendor acknowledgment. Commit e23ce97565f285eb99eed153743c62bf4c767c6e and PR #197 document the remediation. CVSS 3.1 vector and CWE classifications sourced from NVD metadata.

Official resources

2026-05-27T17:16:38.490Z