CVE-2026-34762
LOWSeverity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The PUT /api/v1/subscriber/{imsi} API accepts an IMSI identifier from both the URL path and the JSON request body but never verifies they match. This allows an authenticated NetworkManager to modify any subscriber's policy while the audit trail records a fabricated or unrelated subscriber IMSI.
Impact
A NetworkManager or Admin can modify any subscriber's QoS policy (potentially degrading service or altering traffic routing) while the audit log attributes the change to a non-existent or unrelated subscriber. Post-incident forensic searches for the affected subscriber's IMSI would find no matching audit entries.
Fix
Remove the IMSI as a body param and use the path param as a single source of truth.
AnalysisAI
Ella Networks Core API fails to validate matching IMSI identifiers between URL path and JSON request body in the PUT /api/v1/subscriber/{imsi} endpoint, allowing authenticated NetworkManagers to modify any subscriber's QoS policy while spoofing audit trail entries. This authentication-required vulnerability (PR:H per CVSS) creates forensic evasion-the audit log attributes changes to fabricated or unrelated subscriber identifiers, preventing post-incident investigation of the actual affected subscriber. CVSS 2.7 reflects the limited scope (no confidentiality impact, low integrity impact, no availability impact), though the audit trail manipulation represents meaningful security degradation for compliance and incident response.
Technical ContextAI
Ella Networks Core is a telecommunications network management platform written in Go (pkg:go/github.com_ellanetworks_core). The vulnerability stems from CWE-20 (Improper Input Validation)-the API endpoint accepts the same parameter (IMSI, International Mobile Subscriber Identity) from two sources: the URL path (source of truth in REST design) and the JSON request body. The application uses the body parameter without verifying it matches the path parameter, allowing an attacker to specify a different IMSI in the body while performing the modification. The underlying technology is HTTP-based REST API with JSON payloads for telecommunications subscriber policy management, where IMSI is the unique identifier linking audit records to affected subscribers.
RemediationAI
Vendor-released patch: available via upstream fix commit 7f64b7a7c7a22cb9c05ac2c1c3a0cf0eaefac3e5 on the Ella Networks Core GitHub repository (https://github.com/ellanetworks/core). The fix removes IMSI as a body parameter and uses only the path parameter as the single source of truth for subscriber identification. Users should pull the latest version from the main branch or identify and deploy the release tag corresponding to or after the patched commit. Consult the GitHub security advisory at https://github.com/advisories/GHSA-xw45-cc32-442f for detailed release version information and deployment guidance. No workarounds are recommended; immediate patching is the only mitigation for audit trail integrity.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xw45-cc32-442f