{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44329/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SMF"],"_cs_severities":["critical"],"_cs_tags":["5G","Authentication Bypass","free5GC","SMF","UPI","CVE-2026-44329"],"_cs_type":"advisory","_cs_vendors":["free5GC"],"content_html":"\u003cp\u003efree5GC\u0026rsquo;s Session Management Function (SMF) is vulnerable to an authentication bypass in its UPI (UP-node and link topology management) interface. The UPI route group is mounted without OAuth2/bearer-token authorization middleware, which allows any network attacker who can reach the SMF on the SBI interface to access UPI endpoints without providing any credentials. This vulnerability allows attackers to read the SMF\u0026rsquo;s view of the UP-plane topology, inject attacker-controlled UPF nodes and links, and delete existing entries. The vulnerability affects free5GC SMF versions prior to 1.4.3 and was validated against the \u003ccode\u003efree5gc/smf:v4.2.0\u003c/code\u003e Docker image from the official Docker compose lab. The vulnerability was addressed in \u003ca href=\"https://github.com/free5gc/smf/pull/197\"\u003ehttps://github.com/free5gc/smf/pull/197\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies the SMF instance on the SBI network at 10.100.200.6:8000.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to \u003ccode\u003e/upi/v1/upNodesLinks\u003c/code\u003e without an \u003ccode\u003eAuthorization\u003c/code\u003e header to enumerate existing UPF nodes and links.\u003c/li\u003e\n\u003cli\u003eThe SMF server responds with a \u003ccode\u003e200 OK\u003c/code\u003e status code and the current UP-node and link topology data.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JSON payload containing attacker-controlled UPF node and link information.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to \u003ccode\u003e/upi/v1/upNodesLinks\u003c/code\u003e with the malicious JSON payload and without an \u003ccode\u003eAuthorization\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe SMF server processes the request and injects the attacker-controlled UPF node and link entries, returning a \u003ccode\u003e200 OK\u003c/code\u003e status code.\u003c/li\u003e\n\u003cli\u003eThe attacker can then send a DELETE request to \u003ccode\u003e/upi/v1/upNodesLinks/{nodeID}\u003c/code\u003e to delete named UPF entries, even with a forged \u003ccode\u003eAuthorization\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe SMF server deletes the specified UPF entry, disrupting legitimate UPF participation in SMF\u0026rsquo;s selection logic.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to fully compromise the integrity of the SMF\u0026rsquo;s view of the UP-plane topology. This can lead to the injection of rogue UPF nodes, redirection of traffic through attacker-controlled infrastructure, and denial of service by deleting legitimate UPF entries. Given the core functionality of the SMF in a 5G network, this vulnerability could have a significant impact on network availability, security, and performance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch available at \u003ca href=\"https://github.com/free5gc/smf/pull/197\"\u003ehttps://github.com/free5gc/smf/pull/197\u003c/a\u003e to upgrade to SMF version 1.4.3 or later to remediate CVE-2026-44329.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for HTTP requests to the \u003ccode\u003e/upi/v1/upNodesLinks\u003c/code\u003e endpoint without an \u003ccode\u003eAuthorization\u003c/code\u003e header using the \u0026ldquo;Detect Unauthenticated SMF UPI Access\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInspect network traffic for POST requests to \u003ccode\u003e/upi/v1/upNodesLinks\u003c/code\u003e containing suspicious or unexpected UPF node configurations.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict access to the SMF SBI interface to only authorized and authenticated clients, mitigating the risk of unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-09T14:00:00Z","date_published":"2026-05-09T14:00:00Z","id":"/briefs/2026-05-free5gc-smf-auth-bypass/","summary":"free5GC's Session Management Function (SMF) UPI interface lacks authentication, allowing unauthenticated network attackers to read/write/delete UP-node and link topology data via exposed APIs.","title":"free5GC SMF Unauthenticated UPI Access","url":"https://feed.craftedsignal.io/briefs/2026-05-free5gc-smf-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-44329","version":"https://jsonfeed.org/version/1.1"}