Skip to main content

free5GC PCF CVE-2026-42083

| EUVDEUVD-2026-32555 HIGH
Missing Authorization (CWE-862)
2026-05-07 https://github.com/free5gc/free5gc GHSA-6rgm-gr97-x3j5
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 02:16 vuln.today
Analysis Generated
May 07, 2026 - 02:16 vuln.today
CVE Published
May 07, 2026 - 01:58 nvd
HIGH 8.2

DescriptionGitHub Advisory

Summary

PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI

Details

In NewServer(), the smPolicyGroup route group is created and routes are applied without attaching the router authorization middleware. In contrast, other PCF service groups such as Npcf_PolicyAuthorization do attach RouterAuthorizationCheck before route registration.

Because the middleware is missing, requests to the following endpoints can reach business logic even when no valid OAuth token is provided:

  • POST /npcf-smpolicycontrol/v1/sm-policies
  • GET /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}
  • POST /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/update
  • POST /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete

This is visible at runtime because unauthenticated requests return business-level responses such as 400 or 404 instead of being rejected with 401 before handler execution. Under valid lab preconditions (existing UE/session context and related policy data), unauthenticated POST /sm-policies can succeed with 201, and unauthenticated GET /sm-policies/{id} can succeed with 200 and return policy context containing subscriber identifiers including supi.

The root cause is missing router auth enforcement for Npcf_SMPolicyControl. Upstream also fixed this by adding RouterAuthorizationCheck to smPolicyGroup (and uePolicyGroup) in free5gc/pcf PR #63.

PoC

  1. Deploy free5GC with PCF reachable on the SBI network.
  2. Use the PoC against the PCF service without an Authorization header:
bash
   go run /home/ubuntu/free5gc/tools/npcf-smpolicy-noauth-poc/main.go \
     --pcf-root /home/ubuntu/free5gc/NFs/pcf \
     --pcf-url http://10.100.200.9:8000 \
     --timeout 4s
Observe that unauthenticated requests to Npcf_SMPolicyControl return business responses instead of 401.
### Impact

This is an authentication/authorization bypass on a network-accessible SBI service. Any unauthenticated actor able to reach the PCF SBI interface can invoke Npcf_SMPolicyControl handlers directly.

AnalysisAI

Authentication bypass in free5GC Policy Control Function (PCF) allows unauthenticated network attackers to access Session Management policy control APIs and exfiltrate subscriber identities (SUPI). The Npcf_SMPolicyControl service group omits RouterAuthorizationCheck middleware, permitting OAuth-less access to four policy management endpoints that should require service-to-service authentication. Publicly available exploit code exists. CVSS 8.2 reflects direct network access with no authentication barrier, high confidentiality impact from SUPI disclosure, and low integrity impact from unauthorized policy manipulation. No EPSS or KEV data available, but PoC in vendor advisory demonstrates trivial exploitation against default SBI deployments.

Technical ContextAI

free5GC implements the 3GPP 5G Core Policy Control Function, which manages QoS and charging policies via Service-Based Interfaces (SBI). The PCF exposes RESTful APIs following 3GPP TS 29.512 (Npcf_SMPolicyControl) for session management policy decisions. The vulnerability (CWE-862: Missing Authorization) occurs in the Go-based PCF's Gin router initialization logic. While other service groups like Npcf_PolicyAuthorization correctly attach the RouterAuthorizationCheck middleware to validate OAuth 2.0 bearer tokens before reaching business logic, the smPolicyGroup route group registration in NewServer() omits this middleware layer. This allows HTTP requests to bypass the OAuth validation that enforces mutual authentication between 5G network functions. The affected package is pkg:go/github.com/free5gc/pcf, specifically the internal/sbi/server.go initialization code. The vendor patched this by adding smRouterAuthorizationCheck.Check() calls to both smPolicyGroup and uePolicyGroup middleware chains in PR #63.

RemediationAI

Upgrade free5GC PCF component to version 1.4.3 or later immediately. Patch applied in commit 8c4d457cdf58bb239ee30e88c56b370b22073964 (https://github.com/free5gc/pcf/commit/8c4d457cdf58bb239ee30e88c56b370b22073964) adds RouterAuthorizationCheck middleware to smPolicyGroup and uePolicyGroup. If immediate patching is blocked, deploy network-layer compensating controls: (1) Restrict PCF SBI access via firewall rules to authenticated 5G NF IP addresses only (AMF, SMF, trusted NRF). This prevents external exploitation but does not mitigate insider threats or compromised adjacent NFs. (2) Deploy OAuth token validation proxy (nginx with lua-resty-openidc or API gateway) in front of PCF SBI. Adds latency (~5-20ms) and operational complexity. (3) Enable mutual TLS on all SBI interfaces and validate client certificates against NF registry. Requires PKI infrastructure and certificate distribution. Review audit logs for unauthenticated requests to /npcf-smpolicycontrol/v1/sm-policies endpoints (status 200/201/400/404 without Authorization header). Workarounds reduce risk but do not eliminate the vulnerability - patching remains mandatory per 3GPP security recommendations.

Share

CVE-2026-42083 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy