CVE-2026-44329 - free5GC's SMF UPI management interface lacks auth middleware; unauthenticated to
CVE-2026-44329 - free5GC's SMF UPI management interface lacks auth middleware; unauthenticated to
GHSA-3258-qmv8-frp3 CRITICAL go/github.com/free5gc/smf
CVE: CVE-2026-44329
Summary
free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab this was directly demonstrated for read (GET /upi/v1/upNodesLinks), write (POST /upi/v1/upNodesLinks with attacker-controlled UP-node and link payload), and delete (DELETE /upi/v1/upNodesLinks/{nodeID}) operations.
The defect is route-group-scoped: there is no inbound auth middleware on the UPI group at all, while a control comparison against the sibling nsmf-oam group on the same SMF instance shows OAM IS protected (no-token request returns 401 Unauthorized). So this is not a global config gap -- it is specifically that the UPI group was mounted without the auth middleware that the OAM group has.
Details
Validated against the SMF container in the official Docker compose lab.
- Source repo tag:
v4.2.1 - Running Docker image:
free5gc/smf:v4.2.0 - Docker validation date: 2026-03-13
Control comparison on the same SMF instance:
GET /upi/v1/upNodesLinks(no token) ->200 OKGET /nsmf-oam/v1/(no token) ->401 Unauthorized
This side-by-side proves OAuth2 middleware is wired in for nsmf-oam but not for UPI on the same process.
Code evidence (paths in free5gc/smf):
- UPI group mounted WITHOUT auth middleware:
NFs/smf/internal/sbi/server.go:76 - OAM group mounted WITH auth middleware (control):
NFs/smf/internal/sbi/server.go:95 - UPI business handlers (read / write / delete on
upNodesLinks):
- NFs/smf/internal/sbi/api_upi.go:44
- NFs/smf/internal/sbi/api_upi.go:60
- NFs/smf/internal/sbi/api_upi.go:84
PoC
Reproduced end-to-end against the running SMF at http://10.100.200.6:8000.
1. READ UP-nodes/links with NO Authorization header -> 200 OK:
curl -i http://10.100.200.6:8000/upi/v1/upNodesLinks2.
📌 来源: GitHub-Advisory | 🆔 CVE-2026-44329 | 📅 2026-05-08