Skip to main content

CVE-2026-34762

LOW
Improper Input Validation (CWE-20)
2026-04-01 https://github.com/ellanetworks/core GHSA-xw45-cc32-442f
2.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 01, 2026 - 23:16 vuln.today
Patch released
Apr 01, 2026 - 23:16 nvd
Patch available
CVE Published
Apr 01, 2026 - 22:59 nvd
LOW 2.7

DescriptionGitHub Advisory

Summary

The PUT /api/v1/subscriber/{imsi} API accepts an IMSI identifier from both the URL path and the JSON request body but never verifies they match. This allows an authenticated NetworkManager to modify any subscriber's policy while the audit trail records a fabricated or unrelated subscriber IMSI.

Impact

A NetworkManager or Admin can modify any subscriber's QoS policy (potentially degrading service or altering traffic routing) while the audit log attributes the change to a non-existent or unrelated subscriber. Post-incident forensic searches for the affected subscriber's IMSI would find no matching audit entries.

Fix

Remove the IMSI as a body param and use the path param as a single source of truth.

AnalysisAI

Ella Networks Core API fails to validate matching IMSI identifiers between URL path and JSON request body in the PUT /api/v1/subscriber/{imsi} endpoint, allowing authenticated NetworkManagers to modify any subscriber's QoS policy while spoofing audit trail entries. This authentication-required vulnerability (PR:H per CVSS) creates forensic evasion-the audit log attributes changes to fabricated or unrelated subscriber identifiers, preventing post-incident investigation of the actual affected subscriber. CVSS 2.7 reflects the limited scope (no confidentiality impact, low integrity impact, no availability impact), though the audit trail manipulation represents meaningful security degradation for compliance and incident response.

Technical ContextAI

Ella Networks Core is a telecommunications network management platform written in Go (pkg:go/github.com_ellanetworks_core). The vulnerability stems from CWE-20 (Improper Input Validation)-the API endpoint accepts the same parameter (IMSI, International Mobile Subscriber Identity) from two sources: the URL path (source of truth in REST design) and the JSON request body. The application uses the body parameter without verifying it matches the path parameter, allowing an attacker to specify a different IMSI in the body while performing the modification. The underlying technology is HTTP-based REST API with JSON payloads for telecommunications subscriber policy management, where IMSI is the unique identifier linking audit records to affected subscribers.

RemediationAI

Vendor-released patch: available via upstream fix commit 7f64b7a7c7a22cb9c05ac2c1c3a0cf0eaefac3e5 on the Ella Networks Core GitHub repository (https://github.com/ellanetworks/core). The fix removes IMSI as a body parameter and uses only the path parameter as the single source of truth for subscriber identification. Users should pull the latest version from the main branch or identify and deploy the release tag corresponding to or after the patched commit. Consult the GitHub security advisory at https://github.com/advisories/GHSA-xw45-cc32-442f for detailed release version information and deployment guidance. No workarounds are recommended; immediate patching is the only mitigation for audit trail integrity.

Share

CVE-2026-34762 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy