CRITICAL🇵🇱 Wersja polska

CVE-2026-44327

CVSS 10.0v3.1pub. 2026-05-27upd. 2026-05-28

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-oam route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can hit the OAM route with no Authorization header at all and the handler returns 200 OK. The current OAM handler is a stub that returns null, but the structural defect is route-group-scoped: the entire OAM route group has no inbound auth middleware, so every future OAM operation added to this group inherits the missing auth boundary by default. This vulnerability is fixed in 4.2.2.

🤖 AI Analysis
How it works

The NEF component mounts the nnef-oam route group without middleware verifying OAuth2 token or bearer token on the incoming side. This means HTTP requests to this route group are accepted and processed regardless of the presence or validity of the authorization header. Although the current OAM handler is a stub returning null, the defect is structural and affects the entire route group — any future OAM operation added to this group automatically inherits the missing authorization boundary. In this way, the vulnerability has the potential to expand its scope with code development.

Impact

An attacker with access to the SBI interface can gain unauthorized access to management operations (OAM) without any credentials, creating a risk of compromising the integrity and availability of the 5G core network and exposing configuration data once new operations are added to the route group.

Mitigation & patch

Update free5GC to version 4.2.2, where the vulnerability has been fixed. Details available in the official project security advisory and pull request #23 in the nef repository.

Who is affected

free5GC (open-source 5G core network implementation) — NEF component, all versions before 4.2.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
  • Free5gc

    APP
    Free5Gc
    < 4.2.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-44330CRITICAL10.0PL ✓ten sam produkt

free5GC NEF: brak autoryzacji OAuth2 na trasach nnef-pfdmanagement

CVE-2026-44329CRITICAL10.0PL ✓ten sam produkt

free5GC SMF: brak autoryzacji OAuth2 na endpointach UPI — pełny dostęp bez uwierzytelnienia

CVE-2026-44326CRITICAL9.4PL ✓ten sam produkt

Brak autoryzacji OAuth2 w API NEF systemu free5GC (5G core)

CVE-2026-44315CRITICAL9.4PL ✓ten sam produkt

Brak autoryzacji OAuth2 w NEF API sieci 5G (free5GC)

CVE-2023-4659CRITICAL9.8ten sam produkt

Cross-Site Request Forgery vulnerability, whose exploitation could allow an attacker to perform different acti...