Advisory GHSA-3258-qmv8-frp3 references a vulnerability in the following Go modules:
Description:
Summary
free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab this was directly demonstrated for read (GET /upi/v1/upNodesLinks), write (POST /upi/v1/upNodesLinks with attacker-controlled UP-node and link payload), and delete (DELETE /upi/v1/upNodesLinks/{nodeID}) operations.
The defect is route-group-scoped: there is no inbound auth middleware o...
References:
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/free5gc/smf
versions:
- fixed: 1.4.3
vulnerable_at: 1.4.2
summary: |-
free5GC's SMF UPI management interface lacks auth middleware; unauthenticated
topology read/write requests reach handlers in github.com/free5gc/smf
cves:
- CVE-2026-44329
ghsas:
- GHSA-3258-qmv8-frp3
references:
- advisory: https://github.com/advisories/GHSA-3258-qmv8-frp3
- advisory: https://github.com/free5gc/free5gc/security/advisories/GHSA-3258-qmv8-frp3
- fix: https://github.com/free5gc/smf/commit/e23ce97565f285eb99eed153743c62bf4c767c6e
- fix: https://github.com/free5gc/smf/pull/197
- report: https://github.com/free5gc/free5gc/issues/887
source:
id: GHSA-3258-qmv8-frp3
created: 2026-05-09T00:01:10.136343529Z
review_status: UNREVIEWED
Advisory GHSA-3258-qmv8-frp3 references a vulnerability in the following Go modules:
Description:
Summary
free5GC's SMF mounts the
UPImanagement route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hitUPIendpoints with noAuthorizationheader at all, and the requests reach the SMF business handlers. In the running Docker lab this was directly demonstrated for read (GET /upi/v1/upNodesLinks), write (POST /upi/v1/upNodesLinkswith attacker-controlled UP-node and link payload), and delete (DELETE /upi/v1/upNodesLinks/{nodeID}) operations.The defect is route-group-scoped: there is no inbound auth middleware o...
References:
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.