HarborGuard / CVE
Back to search
CRITICALCVE-2026-44329Published Modified CNA GitHub_M

CVE-2026-44329: free5GC: SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab this was directly demonstrated for read (GET /upi/v1/upNodesLinks), write (POST /upi/v1/upNodesLinks with attacker-controlled UP-node and link payload), and delete (DELETE /upi/v1/upNodesLinks/{nodeID}) operations. This vulnerability is fixed in 4.2.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authentication bypass in free5GC's Session Management Function (SMF), specifically the UPI management interface. A remote attacker who can reach the SMF Service-Based Interface (SBI) over the network can issue GET, POST, and DELETE requests to UPI endpoints with no Authorization header, because the route group is registered without OAuth2 or bearer-token middleware, meaning the requests go straight to the business logic handlers. Successful exploitation lets an attacker read the full UP-node and link topology, inject attacker-controlled UP-node and link configurations, and delete existing UP-node links, disrupting or hijacking user-plane traffic routing. A patched-image rebuild at version 4.2.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-44329 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built free5GC images derived from source or modified base layers.

Available
Triage

HarborGuard scores this CVE at CVSS 10.0 Critical and is capable of weighting that score against each customer environment's compliance policy to determine breach-of-threshold status; triage findings are routed to the inbox or ticketing integration configured for each customer org.

Available
Patch

Because no upstream fix is currently published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at version 4.2.2 the moment the upstream release is confirmed. For customers with auto-remediation enabled, that rebuild triggers an automated regression run and a PR opened against affected workloads without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the SMF Service-Based Interface port over the network; any system with routable access to the SBI can send unauthenticated UPI requests.

  • AuthenticationNot required

    No credentials, bearer token, or OAuth2 grant of any kind are required; the route group is mounted without authorization middleware so requests reach handlers anonymously.

  • Victim interactionNot required

    The attacker sends HTTP requests directly to the SMF; no user action or social engineering is needed.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: the attacker sends a standard HTTP request with no special timing, memory layout knowledge, or environmental precondition required.

Blast Radius

  • Reads the full UP-node and link topology, exposing the internal user-plane graph including node identifiers and link relationships.
  • Writes attacker-controlled UP-node and link entries, allowing injection of rogue user-plane nodes that can redirect subscriber traffic flows.
  • Deletes existing UP-node links, breaking user-plane paths and causing service disruption for active 5G sessions.
  • The CVSS scope is Changed, meaning impact can extend beyond the SMF process itself to the broader 5G user-plane infrastructure it manages.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44329 is active across all customer image registries and CI pipelines. Because no upstream fix version has been published at this time, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild at version 4.2.2 automatically the moment upstream confirms the release. For customers with auto-remediation enabled, that rebuild will trigger a regression run and open a PR against affected workloads. In the interim, compensating controls worth considering include network-policy rules that restrict access to the SMF SBI port to trusted 5G core components only, egress filtering to prevent lateral movement from a compromised SMF, and feature-flag or deployment-config gating to disable the UPI management route group if it is not operationally required in your environment. HarborGuard will send a policy-threshold alert to configured inboxes as soon as the patched image becomes available for rebuild.

See how HarborGuard automates this

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • free5gc / free5gc
    < 4.2.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
References