CRITICAL🇵🇱 Wersja polska

CVE-2026-44330

CVSS 10.0v3.1pub. 2026-05-27upd. 2026-05-28

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) to read PFD application data via GET /applications and GET /applications/{appID}, and to create or delete PFD change-notification subscriptions via POST /subscriptions and DELETE /subscriptions/{subID}. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. Unlike the OAM and traffic-influence groups, nnef-pfdmanagement IS declared in the runtime ServiceList, so this is the production-intended path that operators expect to be protected by OAuth2 setting receive from NRF: true -- and it is not. This vulnerability is fixed in 4.2.2.

🤖 AI Analysis
How it works

The nnef-pfdmanagement route group is mounted in NEF without any middleware verifying the incoming authorization token. This means that the 'Authorization: Bearer <anything>' header is accepted without validation, and actual caller identity verification does not occur. Although nnef-pfdmanagement is listed in the production ServiceList and should be protected by the OAuth2 setting 'receive from NRF: true', this protection is not actually enforced. Thus, any entity with network access to the NEF SBI interface can perform GET /applications, GET /applications/{appID}, POST /subscriptions, and DELETE /subscriptions/{subID} operations without authentication.

Impact

An attacker with network access to the SBI can read PFD application configuration data (confidentiality breach) and create or delete PFD change notification subscriptions, which may disrupt the operation of the production 5G Core network (integrity and availability breach).

Mitigation & patch

Update free5GC to version 4.2.2 or later, where the vulnerability has been fixed. Additionally, until updating, it is recommended to restrict network access to the NEF SBI interface exclusively to trusted core network components using firewall rules or network segmentation.

Who is affected

free5GC in all versions before 4.2.2 — affects the NEF (Network Exposure Function) component in the 5G Core network implementation

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
  • Free5gc

    APP
    Free5Gc
    < 4.2.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-44329CRITICAL10.0PL ✓ten sam produkt

free5GC SMF: brak autoryzacji OAuth2 na endpointach UPI — pełny dostęp bez uwierzytelnienia

CVE-2026-44327CRITICAL10.0PL ✓ten sam produkt

Brak autoryzacji OAuth2 w grupie tras OAM w free5GC NEF (5G core)

CVE-2026-44326CRITICAL9.4PL ✓ten sam produkt

Brak autoryzacji OAuth2 w API NEF systemu free5GC (5G core)

CVE-2026-44315CRITICAL9.4PL ✓ten sam produkt

Brak autoryzacji OAuth2 w NEF API sieci 5G (free5GC)

CVE-2023-4659CRITICAL9.8ten sam produkt

Cross-Site Request Forgery vulnerability, whose exploitation could allow an attacker to perform different acti...