GHSA-XW45-CC32-442F

Vulnerability from github – Published: 2026-04-01 22:59 – Updated: 2026-04-06 17:32
VLAI?
Summary
Ella Core Has Audit Log Falsification via Path/Body IMSI Mismatch in UpdateSubscriber
Details

Summary

The PUT /api/v1/subscriber/{imsi} API accepts an IMSI identifier from both the URL path and the JSON request body but never verifies they match. This allows an authenticated NetworkManager to modify any subscriber's policy while the audit trail records a fabricated or unrelated subscriber IMSI.

Impact

A NetworkManager or Admin can modify any subscriber's QoS policy (potentially degrading service or altering traffic routing) while the audit log attributes the change to a non-existent or unrelated subscriber. Post-incident forensic searches for the affected subscriber's IMSI would find no matching audit entries.

Fix

Remove the IMSI as a body param and use the path param as a single source of truth.

Severity ?
2.7 (Low)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.7.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ellanetworks/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T22:59:50Z",
    "nvd_published_at": "2026-04-02T20:16:25Z",
    "severity": "LOW"
  },
  "details": "## Summary\n\nThe `PUT /api/v1/subscriber/{imsi}` API accepts an IMSI identifier from both the URL path and the JSON request body but never verifies they match. This allows an authenticated NetworkManager to modify any subscriber\u0027s policy while the audit trail records a fabricated or unrelated subscriber IMSI.\n\n## Impact\n\nA NetworkManager or Admin can modify any subscriber\u0027s QoS policy (potentially degrading service or altering traffic routing) while the audit log attributes the change to a non-existent or unrelated subscriber. Post-incident forensic searches for the affected subscriber\u0027s IMSI would find no matching audit entries.\n\n## Fix\n\nRemove the IMSI as a body param and use the path param as a single source of truth.",
  "id": "GHSA-xw45-cc32-442f",
  "modified": "2026-04-06T17:32:53Z",
  "published": "2026-04-01T22:59:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ellanetworks/core/security/advisories/GHSA-xw45-cc32-442f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34762"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ellanetworks/core/commit/7f64b7a7c7a22cb9c05ac2c1c3a0cf0eaefac3e5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ellanetworks/core"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ellanetworks/core/releases/tag/v1.8.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ella Core Has Audit Log Falsification via Path/Body IMSI Mismatch in UpdateSubscriber"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.