Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI
Details
In NewServer(), the smPolicyGroup route group is created and routes are applied without attaching the router authorization middleware. In contrast, other PCF service groups such as Npcf_PolicyAuthorization do attach RouterAuthorizationCheck before route registration.
Because the middleware is missing, requests to the following endpoints can reach business logic even when no valid OAuth token is provided:
POST /npcf-smpolicycontrol/v1/sm-policiesGET /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}POST /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/updatePOST /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete
This is visible at runtime because unauthenticated requests return business-level responses such as 400 or 404 instead of being rejected with 401 before handler execution. Under valid lab preconditions (existing UE/session context and related policy data), unauthenticated POST /sm-policies can succeed with 201, and unauthenticated GET /sm-policies/{id} can succeed with 200 and return policy context containing subscriber identifiers including supi.
The root cause is missing router auth enforcement for Npcf_SMPolicyControl. Upstream also fixed this by adding RouterAuthorizationCheck to smPolicyGroup (and uePolicyGroup) in free5gc/pcf PR #63.
PoC
- Deploy free5GC with PCF reachable on the SBI network.
- Use the PoC against the PCF service without an
Authorizationheader:
go run /home/ubuntu/free5gc/tools/npcf-smpolicy-noauth-poc/main.go \
--pcf-root /home/ubuntu/free5gc/NFs/pcf \
--pcf-url http://10.100.200.9:8000 \
--timeout 4s
Observe that unauthenticated requests to Npcf_SMPolicyControl return business responses instead of 401.
### Impact
This is an authentication/authorization bypass on a network-accessible SBI service. Any unauthenticated actor able to reach the PCF SBI interface can invoke Npcf_SMPolicyControl handlers directly.AnalysisAI
Authentication bypass in free5GC Policy Control Function (PCF) allows unauthenticated network attackers to access Session Management policy control APIs and exfiltrate subscriber identities (SUPI). The Npcf_SMPolicyControl service group omits RouterAuthorizationCheck middleware, permitting OAuth-less access to four policy management endpoints that should require service-to-service authentication. Publicly available exploit code exists. CVSS 8.2 reflects direct network access with no authentication barrier, high confidentiality impact from SUPI disclosure, and low integrity impact from unauthorized policy manipulation. No EPSS or KEV data available, but PoC in vendor advisory demonstrates trivial exploitation against default SBI deployments.
Technical ContextAI
free5GC implements the 3GPP 5G Core Policy Control Function, which manages QoS and charging policies via Service-Based Interfaces (SBI). The PCF exposes RESTful APIs following 3GPP TS 29.512 (Npcf_SMPolicyControl) for session management policy decisions. The vulnerability (CWE-862: Missing Authorization) occurs in the Go-based PCF's Gin router initialization logic. While other service groups like Npcf_PolicyAuthorization correctly attach the RouterAuthorizationCheck middleware to validate OAuth 2.0 bearer tokens before reaching business logic, the smPolicyGroup route group registration in NewServer() omits this middleware layer. This allows HTTP requests to bypass the OAuth validation that enforces mutual authentication between 5G network functions. The affected package is pkg:go/github.com/free5gc/pcf, specifically the internal/sbi/server.go initialization code. The vendor patched this by adding smRouterAuthorizationCheck.Check() calls to both smPolicyGroup and uePolicyGroup middleware chains in PR #63.
RemediationAI
Upgrade free5GC PCF component to version 1.4.3 or later immediately. Patch applied in commit 8c4d457cdf58bb239ee30e88c56b370b22073964 (https://github.com/free5gc/pcf/commit/8c4d457cdf58bb239ee30e88c56b370b22073964) adds RouterAuthorizationCheck middleware to smPolicyGroup and uePolicyGroup. If immediate patching is blocked, deploy network-layer compensating controls: (1) Restrict PCF SBI access via firewall rules to authenticated 5G NF IP addresses only (AMF, SMF, trusted NRF). This prevents external exploitation but does not mitigate insider threats or compromised adjacent NFs. (2) Deploy OAuth token validation proxy (nginx with lua-resty-openidc or API gateway) in front of PCF SBI. Adds latency (~5-20ms) and operational complexity. (3) Enable mutual TLS on all SBI interfaces and validate client certificates against NF registry. Requires PKI infrastructure and certificate distribution. Review audit logs for unauthenticated requests to /npcf-smpolicycontrol/v1/sm-policies endpoints (status 200/201/400/404 without Authorization header). Workarounds reduce risk but do not eliminate the vulnerability - patching remains mandatory per 3GPP security recommendations.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32555
GHSA-6rgm-gr97-x3j5