free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token…

free5GC, an open-source 5G core network implementation, contains a critical authorization bypass vulnerability in versions prior to 4.2.2. The SMF (Session Management Function) component mounts UPI management routes without OAuth2/bearer-token authorization middleware. Network attackers who can reach SMF on the SBI can access UPI endpoints without any authorization headers. The vulnerability allows unauthorized read, write, and delete operations on UP-node links through various HTTP methods. This was demonstrated in Docker lab environments with full CRUD operations on the /upi/v1/upNodesLinks endpoints. The vulnerability has been patched in version 4.2.2.