CVE-2026-44320
BaseFortify
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | 4.2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions prior to 4.2.2. The NEF (Network Exposure Function) mounts the nnef-callback route group without requiring inbound OAuth2 or bearer-token authorization. This means that an attacker can use a forged or arbitrary bearer token, such as "Authorization: Bearer not-a-real-token", to access the SMF-callback handler.
Because the callback body is parsed and processed by NEF business logic without proper authentication, an attacker who can guess or obtain a valid NotifId can send forged callbacks that act on real subscription states. The root cause is that the route group is mounted without any inbound authentication middleware, and NEF does not authenticate the producer NF identity before processing callback content.
Additionally, this route group is reachable even if the runtime ServiceList does not declare it, increasing the attack surface. This vulnerability was fixed in version 4.2.2.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass authentication and send forged callbacks to the NEF, which will then process them as if they were legitimate. This can lead to unauthorized actions on real subscription states within the 5G core network.
The impact includes potential unauthorized access, manipulation, or disruption of network functions related to subscriber information, which can compromise confidentiality, integrity, and availability of the affected system.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in free5GC version 4.2.2. Immediate mitigation should include upgrading free5GC to version 4.2.2 or later.
Since the issue is caused by the NEF mounting the nnef-callback route group without inbound OAuth2/bearer-token authorization, ensure that inbound authentication middleware is properly configured to validate bearer tokens before processing callbacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in free5GC NEF allows unauthenticated and unauthorized access to critical network functions by bypassing OAuth2 bearer-token authorization. This can lead to manipulation of subscription state and corruption of downstream policy decisions, impacting confidentiality, integrity, and availability of data and services.
Such unauthorized access and potential data manipulation could violate common security requirements found in standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of sensitive data to ensure privacy and data integrity.
Because the vulnerability allows forged callbacks to act on real subscription states without proper authentication, it increases the risk of unauthorized data access or modification, which may lead to non-compliance with these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the free5GC NEF component is exposing the nnef-callback route group without proper OAuth2 or bearer-token authorization. Specifically, you can attempt to send HTTP requests with arbitrary or forged bearer tokens to the nnef-callback endpoint and observe if the requests are accepted and processed instead of being rejected.
A simple detection method is to send a crafted HTTP request with an invalid bearer token to the nnef-callback endpoint and check the response. If the endpoint processes the request or returns a response other than an authentication error, the vulnerability may be present.
- Use curl to send a request with an invalid bearer token: curl -X POST https://<nef-ip>:<port>/nnef-callback -H "Authorization: Bearer not-a-real-token" -d '<callback-body>' -v
- Observe the HTTP response code and body. A 200 OK or any response indicating processing means the endpoint is not properly authenticating requests.
- Check the running free5GC NEF version. Versions prior to 4.2.2 are vulnerable.
- Verify if the nnef-callback route is accessible even when not declared in the runtime ServiceList configuration.