CVE-2026-34762

Description

## Summary The `PUT /api/v1/subscriber/{imsi}` API accepts an IMSI identifier from both the URL path and the JSON request body but never verifies they match. This allows an authenticated NetworkManager to modify any subscriber's policy while the audit trail records a fabricated or unrelated subscriber IMSI. ## Impact A NetworkManager or Admin can modify any subscriber's QoS policy (potentially degrading service or altering traffic routing) while the audit log attributes the change to a non-existent or unrelated subscriber. Post-incident forensic searches for the affected subscriber's IMSI would find no matching audit entries. ## Fix Remove the IMSI as a body param and use the path param as a single source of truth.

How to fix CVE-2026-34762

To remediate CVE-2026-34762, upgrade the affected package to a fixed version below.

• —upgrade to 1.8.0 or later

Is CVE-2026-34762 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.8.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-34762
• PATCHgithub.com/ellanetworks/core
• WEBgithub.com/ellanetworks/core/commit/7f64b7a7c7a22cb9c05ac2c1c3a0cf0eaefac3e5
• WEBgithub.com/ellanetworks/core/releases/tag/v1.8.0