Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34762

CVE-2026-34762: Ella Core Auth Bypass Vulnerability

CVE-2026-34762 is an authentication bypass flaw in Ella Core 5G that allows authenticated users to modify any subscriber's policy while masking the audit trail. This article covers technical details, affected versions, and mitigation.

Published: April 2, 2026

CVE-2026-34762 Overview

CVE-2026-34762 is an Improper Input Validation vulnerability in Ella Core, a 5G core solution designed for private networks. Prior to version 1.8.0, the PUT /api/v1/subscriber/{imsi} API endpoint accepts an IMSI (International Mobile Subscriber Identity) identifier from both the URL path and the JSON request body but fails to verify that these values match. This design flaw allows an authenticated NetworkManager to modify any subscriber's policy while the audit trail records a fabricated or unrelated subscriber IMSI, effectively bypassing audit controls.

Critical Impact

Authenticated attackers with NetworkManager privileges can manipulate subscriber policies without proper audit attribution, enabling unauthorized policy modifications with audit trail evasion.

Affected Products

  • Ella Core versions prior to 1.8.0
  • Private 5G network deployments using vulnerable Ella Core installations
  • Subscriber management API endpoints in affected versions

Discovery Timeline

  • 2026-04-02 - CVE-2026-34762 published to NVD
  • 2026-04-02 - Last updated in NVD database

Technical Details for CVE-2026-34762

Vulnerability Analysis

This vulnerability represents a classic parameter binding inconsistency issue where the application accepts the same logical parameter from multiple input sources without proper validation. The PUT /api/v1/subscriber/{imsi} endpoint is designed to update subscriber policies based on the IMSI identifier. However, the implementation accepts the IMSI value from both the URL path parameter and the JSON request body independently.

The core issue lies in the lack of server-side validation to ensure these two IMSI values are identical before processing the request. When a legitimate NetworkManager submits a request, they can specify one IMSI in the URL (which gets logged for audit purposes) while including a different IMSI in the request body (which is used for the actual database operation). This creates a dangerous disconnect between what is audited and what actually occurs.

The vulnerability has been classified under CWE-20 (Improper Input Validation), as the root cause stems from insufficient validation of input parameters before use.

Root Cause

The root cause is the failure to implement a consistency check between the IMSI parameter in the URL path and the IMSI field in the JSON request body. The application processes the request body IMSI for database operations while logging the URL path IMSI for audit purposes, without ever comparing the two values. This architectural oversight allows the attacker to control both the target of the modification (via request body) and the audit record (via URL path) independently.

Attack Vector

The attack requires authenticated access with NetworkManager privileges. An attacker would craft a malicious HTTP PUT request where the URL contains one subscriber's IMSI (which will be recorded in audit logs) while the JSON body contains a different subscriber's IMSI (whose policy will actually be modified).

For example, an attacker could send a request to modify subscriber A's policy (using A's IMSI in the URL for audit logging) while the request body targets subscriber B's record for actual modification. The audit trail would show an authorized change to subscriber A, while subscriber B's policy is silently altered.

This attack enables policy manipulation with audit trail obfuscation, making it difficult for security teams to trace unauthorized changes back to their actual targets.

Detection Methods for CVE-2026-34762

Indicators of Compromise

  • Discrepancies between audit log entries and actual subscriber policy changes in the database
  • Unusual patterns of subscriber policy modifications by NetworkManager accounts
  • HTTP PUT requests to /api/v1/subscriber/{imsi} endpoints where forensic analysis reveals mismatched IMSI values

Detection Strategies

  • Implement log correlation between API audit trails and database transaction logs to identify IMSI mismatches
  • Deploy API gateway rules to inspect and compare IMSI values in both URL paths and request bodies
  • Enable detailed request logging that captures both URL parameters and full request body content for subscriber modification endpoints

Monitoring Recommendations

  • Monitor for unusual subscriber policy modification patterns, especially high-volume changes from single NetworkManager accounts
  • Implement alerting for any detected discrepancies between audit-logged IMSI values and actual database modifications
  • Review NetworkManager activity logs regularly for signs of policy manipulation targeting multiple unrelated subscribers

How to Mitigate CVE-2026-34762

Immediate Actions Required

  • Upgrade Ella Core to version 1.8.0 or later immediately
  • Audit existing subscriber policy records for unauthorized modifications
  • Review NetworkManager account activity logs for suspicious patterns prior to patching
  • Implement additional API gateway validation as a defense-in-depth measure

Patch Information

The vulnerability has been patched in Ella Core version 1.8.0. Organizations should upgrade to this version or later to remediate the issue. The patch implements proper validation to ensure the IMSI in the URL path matches the IMSI in the request body before processing any subscriber policy modifications.

For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-xw45-cc32-442f and the GitHub Release v1.8.0.

Workarounds

  • Implement API gateway validation rules to compare IMSI values in URL paths against request body content and reject mismatched requests
  • Enable enhanced audit logging that captures complete request details including both URL parameters and request body content
  • Restrict NetworkManager account privileges to the minimum necessary and implement additional approval workflows for subscriber policy changes
  • Deploy network segmentation to limit access to the subscriber management API
bash
# Example API gateway rule concept for NGINX/similar proxies
# Validate IMSI consistency before forwarding to backend
# Note: Actual implementation varies by gateway product

# Recommended: Upgrade to Ella Core v1.8.0 for proper fix
# Download: https://github.com/ellanetworks/core/releases/tag/v1.8.0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechElla Core
  • SeverityLOW
  • CVSS Score2.7
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-20
  • Technical References
  • GitHub Release v1.8.0
  • GitHub Security Advisory GHSA-xw45-cc32-442f
  • Related CVEs
  • CVE-2026-34761: Ella Core DoS Vulnerability
  • CVE-2026-33903: Ella Core 5G NGAP DoS Vulnerability
  • CVE-2026-33904: Ella Core 5G AMF Deadlock DoS Vulnerability
  • CVE-2026-33906: Ella Core Privilege Escalation Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English