HarborGuard / CVE
Back to search
HIGHCVE-2026-42083Published Modified CNA GitHub_M

CVE-2026-42083: free5GC: PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI. In NewServer(), the smPolicyGroup route group is created and routes are applied without attaching the router authorization middleware. In contrast, other PCF service groups such as Npcf_PolicyAuthorization do attach RouterAuthorizationCheck before route registration. Because the middleware is missing, requests to the /npcf-smpolicycontrol/v1/sm-policies, /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}, /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/update, and /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete endpoints can reach business logic even when no valid OAuth token is provided. This vulnerability is fixed in 4.2.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authentication bypass vulnerability in free5GC, an open-source 5G core network implementation, affecting the PCF (Policy Control Function) component. The Npcf_SMPolicyControl route group is registered without the RouterAuthorizationCheck middleware, meaning any unauthenticated caller on the network can reach SM policy endpoints that should require a valid OAuth token. Successful exploitation exposes subscriber SUPI (a permanent device identifier) and allows limited modification of session management policy data. HarborGuard tracks the upstream advisory for this CVE as no fix version has been published yet.

HarborGuard Coverage

Detection

Detection of CVE-2026-42083 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle free5GC components. Any image found to carry an affected version of free5gc/free5gc (below 4.2.2) is flagged immediately.

Available
Triage

HarborGuard scores this CVE at CVSS 8.2 HIGH and weights findings against each environment's compliance policy to determine priority and routing. Findings are surfaced to the team inbox or ticketing integration configured inside the customer organization, ensuring the right engineers receive the alert without noise from lower-priority issues.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment free5GC releases version 4.2.2 or an equivalent upstream fix. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point, with no manual intervention required.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable HTTP endpoints are exposed over the network, so an attacker must be able to send HTTP requests to the PCF service interface.

  • AuthenticationNot required

    No OAuth token or any other credential is required; the missing middleware means unauthenticated requests reach business logic directly.

  • Victim interactionNot required

    The attacker sends requests directly to the API; no user action or social engineering is involved.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free: the attacker simply omits an authorization header on a standard HTTP request to the affected endpoints.

Blast Radius

  • Reads subscriber SUPI values (permanent device identifiers) from SM policy responses, enabling subscriber tracking and identity correlation.
  • Writes limited changes to session management policy data on affected endpoints, potentially altering QoS or charging rules for active subscriber sessions.
  • Confidentiality impact is high; integrity impact is limited to the SM policy resource and does not extend to broader core-network configuration.
  • Availability is not directly affected; the service continues running after exploitation.

How HarborGuard Handles This

Available on HarborGuard: any image carrying an affected free5GC build is flagged automatically within minutes of CVE ingestion, scored at CVSS 8.2 HIGH, and routed according to each environment's compliance policy. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available as soon as free5GC publishes version 4.2.2. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual steps. While awaiting the upstream patch, compensating controls worth considering include applying network policy rules to restrict access to PCF service interfaces to known internal callers only, adding an egress filter or API gateway that enforces OAuth token validation in front of the Npcf_SMPolicyControl routes, and, where operationally feasible, disabling or isolating the affected endpoints until the official fix is available.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.2
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • free5gc / free5gc
    < 4.2.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
References