Listen to this Post
How the CVE Works
The vulnerability stems from a missing authentication middleware in the Policy Control Function (PCF) of free5GC. Specifically, the `Npcf_SMPolicyControl` service fails to enforce the `RouterAuthorizationCheck` middleware. In NewServer(), the `smPolicyGroup` route group is created without attaching the authorization checks that are applied to other PCF services like Npcf_PolicyAuthorization. As a result, unauthenticated requests can directly reach business logic handlers instead of being rejected with a 401 Unauthorized status.
The exposed endpoints include:
– `POST /npcf-smpolicycontrol/v1/sm-policies`
– `GET /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}`
– `POST /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/update`
– `POST /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete`
Runtime behavior demonstrates the bypass: unauthenticated requests return business-level responses (e.g., 400 or 404) rather than being rejected at the middleware layer. Under valid lab conditions where UE/session context exists, an unauthenticated `POST /sm-policies` can succeed with a 201 status, and an unauthenticated `GET /sm-policies/{id}` returns a 200 response containing the subscriber’s SUPI (Subscription Permanent Identifier).
The root cause is the absence of router authorization enforcement for Npcf_SMPolicyControl. The upstream fix added `RouterAuthorizationCheck` to both `smPolicyGroup` and `uePolicyGroup` via free5gc/pcf PR 63.
DailyCVE Form
Platform: free5GC PCF
Version: 1.4.2 and below
Vulnerability: Missing Authentication Middleware
Severity: Medium
date: 2026-03-05
Prediction: Patch available 2026-03-05
What Undercode Say
Use the following command to test for the vulnerability:
curl -X GET "http://<pcf-sbi-ip>:8000/npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}" -H "Accept: application/json"
Exploit
A proof-of-concept exploit is available:
go run /home/ubuntu/free5gc/tools/npcf-smpolicy-noauth-poc/main.go \ --pcf-root /home/ubuntu/free5gc/NFs/pcf \ --pcf-url http://10.100.200.9:8000 \ --timeout 4s
The script sends unauthenticated requests to the targeted endpoints; a vulnerable PCF will return business responses instead of 401.
Protection from this CVE
- Upgrade to the patched version of free5GC PCF that includes the fix from PR 63.
- Apply the following change manually: add `RouterAuthorizationCheck` middleware to `smPolicyGroup` and `uePolicyGroup` in
internal/sbi/server.go. - Restrict network access to the PCF SBI interface to trusted sources only.
Impact
An unauthenticated attacker with network access to the PCF SBI interface can invoke `Npcf_SMPolicyControl` handlers directly. This leads to unauthorized creation, retrieval, update, and deletion of SM policies. Furthermore, the attacker can obtain sensitive subscriber identifiers (SUPI) from policy responses, resulting in information disclosure and potential further attacks on the 5G core network.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
