CVE-2026-44329

CRITICAL 10.0

free5GC: SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers

CVSS Score

10.0

EPSS Score

0.0%

EPSS Percentile

15th

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab this was directly demonstrated for read (GET /upi/v1/upNodesLinks), write (POST /upi/v1/upNodesLinks with attacker-controlled UP-node and link payload), and delete (DELETE /upi/v1/upNodesLinks/{nodeID}) operations. This vulnerability is fixed in 4.2.2.

CWE	CWE-306 CWE-862
Vendor	free5gc
Product	free5gc
Published	May 27, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for free5gc free5gc

Be the first to know when new critical vulnerabilities affecting free5gc free5gc are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

High

Affected Versions

free5gc / free5gc

< 4.2.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/free5gc/free5gc/security/advisories/GHSA-3258-qmv8-frp3 github.com: https://github.com/free5gc/free5gc/issues/887 github.com: https://github.com/free5gc/smf/pull/197 github.com: https://github.com/free5gc/smf/commit/e23ce97565f285eb99eed153743c62bf4c767c6e