Unauthenticated Access Vulnerability in free5GC 5G Core Network PCF
CVE-2026-42083

8.2HIGH

Key Information:

Vendor

Free5gc

Status
Free5gc
Vendor
CVE Published:
27 May 2026

What is CVE-2026-42083?

The free5GC open-source implementation of the 5G core network has a vulnerability in its Policy Control Function (PCF) that allows unauthenticated access to SM policy handlers. This occurs due to missing authentication middleware in the Npcf_SMPolicyControl component. As a result, requests to critical endpoints such as /npcf-smpolicycontrol/v1/sm-policies can be processed without a valid OAuth token, leading to potential exposure of sensitive subscriber information such as the SUPI. This issue has been addressed in version 4.2.2.

Affected Version(s)

free5gc < 4.2.2

References

https://github.com/free5gc/free5gc/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/free5gc/free5gc/issues/844
x_refsource_MISC
https://github.com/free5gc/pcf/pull/63
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.