CVE-2026-44326
NEF API Authorization Bypass in free5GC
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | to 4.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions prior to 4.2.2. The NEF (Network Exposure Function) mounts the 3gpp-traffic-influence API without requiring inbound OAuth2 or bearer-token authorization. This means that a network attacker who can access the NEF on the SBI (Service-Based Interface) can create, read, modify, or delete traffic-influence subscriptions without proper authorization.
Attackers can perform these actions either without any Authorization header or by using a forged bearer token. This includes creating subscriptions that affect group or any-UE (User Equipment) traffic steering, such as those with AnyUeInd=true. Additionally, the route group is accessible even if the service is disabled in the running configuration, exposing operators who believe they have disabled the service.
This vulnerability was fixed in version 4.2.2 of free5GC.
How can this vulnerability impact me? :
The vulnerability allows an attacker to manipulate traffic-influence subscriptions on the 5G core network without authorization. This can lead to unauthorized creation, reading, modification, or deletion of traffic steering rules.
Such unauthorized control can impact network traffic management, potentially disrupting service quality, redirecting or blocking user traffic, and affecting multiple users or groups of users.
Because the attacker can operate without valid credentials, the risk of exploitation is high, and the impact includes loss of integrity and availability of network services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade free5GC to version 4.2.2 or later, where the issue is fixed.
Be aware that disabling the 3gpp-traffic-influence API via configuration alone is not sufficient, as the route group remains reachable even if not declared in the ServiceList.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated or forged token requests to create, read, modify, and delete traffic-influence subscriptions in the free5GC NEF component. This unauthorized access can lead to manipulation of traffic steering policies, potentially impacting the confidentiality, integrity, and availability of network data.
Such unauthorized access and manipulation could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and network operations to protect user privacy and ensure data integrity.
Because the vulnerability bypasses OAuth2 authorization, it undermines security controls that are often mandated by these standards, increasing the risk of data breaches or unauthorized data processing.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the free5GC NEF 3gpp-traffic-influence API is accessible without proper OAuth2 bearer-token authorization. Specifically, you can test if requests to the NEF's traffic-influence endpoints succeed without valid tokens or with forged tokens.
A practical approach is to send HTTP requests to the NEF 3gpp-traffic-influence API endpoints without an Authorization header or with an invalid bearer token and observe if the server allows create, read, patch, or delete operations on traffic-influence subscriptions.
- Use curl to send a request without an Authorization header, for example: curl -X GET http://<nef-ip>:<port>/traffic-influence/subscriptions
- Use curl to send a request with a forged bearer token, for example: curl -X POST http://<nef-ip>:<port>/traffic-influence/subscriptions -H "Authorization: Bearer not-a-real-token" -d '{"AnyUeInd":true}'
If these requests succeed (e.g., return HTTP 200 or 201), it indicates the vulnerability is present. Properly secured NEF should reject such requests with HTTP 401 or 403 status codes.