CVE-2026-44320
Analyzed Analyzed - Analysis Complete
NEF Missing OAuth2 Authorization in free5GC

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid NotifId, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime ServiceList does not declare it (it lists only nnef-pfdmanagement and nnef-oam). This vulnerability is fixed in 4.2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44320
EUVD
EUVD-2026-32578
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc free5gc to 4.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions prior to 4.2.2. The NEF (Network Exposure Function) mounts the nnef-callback route group without requiring inbound OAuth2 or bearer-token authorization. This means that an attacker can use a forged or arbitrary bearer token, such as "Authorization: Bearer not-a-real-token", to access the SMF-callback handler.

Because the callback body is parsed and processed by NEF business logic without proper authentication, an attacker who can guess or obtain a valid NotifId can send forged callbacks that act on real subscription states. The root cause is that the route group is mounted without any inbound authentication middleware, and NEF does not authenticate the producer NF identity before processing callback content.

Additionally, this route group is reachable even if the runtime ServiceList does not declare it, increasing the attack surface. This vulnerability was fixed in version 4.2.2.

Impact Analysis

This vulnerability can allow an attacker to bypass authentication and send forged callbacks to the NEF, which will then process them as if they were legitimate. This can lead to unauthorized actions on real subscription states within the 5G core network.

The impact includes potential unauthorized access, manipulation, or disruption of network functions related to subscriber information, which can compromise confidentiality, integrity, and availability of the affected system.

Mitigation Strategies

The vulnerability is fixed in free5GC version 4.2.2. Immediate mitigation should include upgrading free5GC to version 4.2.2 or later.

Since the issue is caused by the NEF mounting the nnef-callback route group without inbound OAuth2/bearer-token authorization, ensure that inbound authentication middleware is properly configured to validate bearer tokens before processing callbacks.

Compliance Impact

The vulnerability in free5GC NEF allows unauthenticated and unauthorized access to critical network functions by bypassing OAuth2 bearer-token authorization. This can lead to manipulation of subscription state and corruption of downstream policy decisions, impacting confidentiality, integrity, and availability of data and services.

Such unauthorized access and potential data manipulation could violate common security requirements found in standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of sensitive data to ensure privacy and data integrity.

Because the vulnerability allows forged callbacks to act on real subscription states without proper authentication, it increases the risk of unauthorized data access or modification, which may lead to non-compliance with these regulations.

Detection Guidance

This vulnerability can be detected by checking if the free5GC NEF component is exposing the nnef-callback route group without proper OAuth2 or bearer-token authorization. Specifically, you can attempt to send HTTP requests with arbitrary or forged bearer tokens to the nnef-callback endpoint and observe if the requests are accepted and processed instead of being rejected.

A simple detection method is to send a crafted HTTP request with an invalid bearer token to the nnef-callback endpoint and check the response. If the endpoint processes the request or returns a response other than an authentication error, the vulnerability may be present.

  • Use curl to send a request with an invalid bearer token: curl -X POST https://<nef-ip>:<port>/nnef-callback -H "Authorization: Bearer not-a-real-token" -d '<callback-body>' -v
  • Observe the HTTP response code and body. A 200 OK or any response indicating processing means the endpoint is not properly authenticating requests.
  • Check the running free5GC NEF version. Versions prior to 4.2.2 are vulnerable.
  • Verify if the nnef-callback route is accessible even when not declared in the runtime ServiceList configuration.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44320. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart