CVE-2026-44328
published 2026-05-27CVE-2026-44328: free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2…
PriorityP345high8.2CVSS 3.1
AVNACLPRNUINSUCNILAH
EPSS
0.32%
24.1th percentile
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/{upNodeRef} handler unconditionally dereferences upNode.UPF after the type-guarded async release, even though AN-typed nodes are constructed without a UPF object. As a result, a single unauthenticated DELETE /upi/v1/upNodesLinks/gNB1 request crashes the handler with a nil-pointer panic AND mutates the in-memory user-plane topology before panicking (the UpNodeDelete(upNodeRef) line runs first). This is an unauthenticated, state-mutating panic-DoS sink that an off-path network attacker can trigger by name against any AN entry. This vulnerability is fixed in 4.2.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| free5gc | free5gc | < 4.2.2 | 4.2.2 |
| github.com | free5gc_smf | >= 0 < 1.4.3 | 1.4.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Free5GC up to 4.2.1 /upi/v1/upNodesLinks/ missing authentication
vuldb·2026-05-27·CVSS 8.2
CVE-2026-44328 [HIGH] Free5GC up to 4.2.1 /upi/v1/upNodesLinks/ missing authentication
A vulnerability marked as critical has been reported in Free5GC up to 4.2.1. This issue affects some unknown processing of the file /upi/v1/upNodesLinks/. Performing a manipulation results in missing authentication.
This vulnerability is reported as CVE-2026-44328. The attack is possible to be carried out remotely. No exploit exists.
It is suggested to upgrade the affected component.
GHSA
free5GC's SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating
ghsa·2026-05-08
CVE-2026-44328 [HIGH] CWE-306 free5GC's SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating
free5GC's SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating
### Summary
free5GC's SMF mounts the `UPI` management route group without inbound OAuth2 middleware (same root cause as the broader UPI auth gap reported in free5gc/free5gc#887). On top of that, the `DELETE /upi/v1/upNodesLinks/{upNodeRef}` handler unconditionally dereferences `upNode.UPF` after the type-guarded async release, even though `AN`-typed nodes are constructed without a `UPF` object. As a result, a single unauthenticated `DELETE /upi/v1/upNodesLinks/gNB1` request crashes the handler with a nil-pointer panic AND mutates the in-memory user-plane topology before panicking (the `UpNodeDelete(upNodeRef)` line runs first). This is an unauthenticated,
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/free5gc/free5gc/issues/905https://github.com/free5gc/free5gc/security/advisories/GHSA-p9mg-74mg-cwwrhttps://github.com/free5gc/smf/commit/b57bc48081c3d3a2f333d02eb78e4fd31a120debhttps://github.com/free5gc/smf/pull/199https://github.com/free5gc/free5gc/issues/905https://github.com/free5gc/free5gc/security/advisories/GHSA-p9mg-74mg-cwwr
2026-05-27
Published