CVE Catalog

CVE-2026-44320

High
Published: Translated: NVD NIST

Summary

In versions prior to 4.2.2, free5GC's NEF did not require OAuth2/bearer-token authorization for the nnef-callback route group, allowing the use of a forged token to access the SMF-callback handler. The lack of authorization enables attackers to manipulate the actual subscription state.

Risk Assessment

Organizations using free5GC may be exposed to attacks that allow unauthorized modifications of subscription states, potentially leading to serious security breaches and data integrity issues.

Recommendation

It is recommended to upgrade to version 4.2.2 or later to implement proper authorization mechanisms for the nnef-callback route group.

Original NVD description (English source)

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid NotifId, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime ServiceList does not declare it (it lists only nnef-pfdmanagement and nnef-oam). This vulnerability is fixed in 4.2.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS