CVE-2026-34762
LOW
GHSA-xw45-cc32-442f
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Description
## Summary The `PUT /api/v1/subscriber/{imsi}` API accepts an IMSI identifier from both the URL path and the JSON request body but never verifies they match. This allows an authenticated NetworkManager to modify any subscriber's policy while the audit trail records a fabricated or unrelated subscriber IMSI. ## Impact A NetworkManager or Admin can modify any subscriber's QoS policy (potentially degrading service or altering traffic routing) while the audit log attributes the change to a non-existent or unrelated subscriber. Post-incident forensic searches for the affected subscriber's IMSI would find no matching audit entries. ## Fix Remove the IMSI as a body param and use the path param as a single source of truth.
Analysis
Ella Networks Core API fails to validate matching IMSI identifiers between URL path and JSON request body in the PUT /api/v1/subscriber/{imsi} endpoint, allowing authenticated NetworkManagers to modify any subscriber's QoS policy while spoofing audit trail entries. This authentication-required vulnerability (PR:H per CVSS) creates forensic evasion-the audit log attributes changes to fabricated or unrelated subscriber identifiers, preventing post-incident investigation of the actual affected subscriber. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today