CVE-2026-44330
Received Received - Intake
BaseFortify

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) to read PFD application data via GET /applications and GET /applications/{appID}, and to create or delete PFD change-notification subscriptions via POST /subscriptions and DELETE /subscriptions/{subID}. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. Unlike the OAM and traffic-influence groups, nnef-pfdmanagement IS declared in the runtime ServiceList, so this is the production-intended path that operators expect to be protected by OAuth2 setting receive from NRF: true -- and it is not. This vulnerability is fixed in 4.2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-28
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-44330
EUVD
EUVD-2026-32568
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc free5gc to 4.2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects free5GC, an open-source 5G core network implementation. Specifically, prior to version 4.2.2, the NEF component mounts the nnef-pfdmanagement route group without requiring inbound OAuth2 or bearer-token authorization.

As a result, a network attacker who can access the NEF on the Service-Based Interface (SBI) can use a forged or arbitrary bearer token (for example, "Authorization: Bearer not-a-real-token") to perform unauthorized actions.

  • Read PFD application data via GET /applications and GET /applications/{appID}
  • Create or delete PFD change-notification subscriptions via POST /subscriptions and DELETE /subscriptions/{subID}

The root cause is that the route group is mounted without any inbound authentication middleware, despite being declared in the runtime ServiceList and expected to be protected by OAuth2 settings.

This vulnerability was fixed in free5GC version 4.2.2.


How can this vulnerability impact me? :

This vulnerability can have severe impacts because it allows an attacker to bypass authentication and gain unauthorized access to sensitive network functions.

  • An attacker can read PFD (Policy and Charging Function) application data, potentially exposing sensitive information.
  • An attacker can create or delete PFD change-notification subscriptions, which could disrupt network operations or monitoring.

Given the CVSS base score of 10.0, this is a critical vulnerability with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in free5GC version 4.2.2. Immediate mitigation involves upgrading free5GC to version 4.2.2 or later.

This vulnerability arises because the nnef-pfdmanagement route group is mounted without inbound OAuth2/bearer-token authorization. Ensuring that OAuth2 authorization is properly enforced on this route group can mitigate the issue.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthorized access to sensitive Packet Flow Description (PFD) application data and the ability to create or delete subscriptions, which can lead to data exposure, integrity compromise, and service disruption.

Such unauthorized access and potential data breaches could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and mandate protection against unauthorized disclosure and modification.

Because the vulnerability enables attackers to read sensitive traffic classification policies and manipulate subscriptions without proper authorization, it undermines the confidentiality, integrity, and availability principles central to these regulations.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to access the free5GC NEF's nnef-pfdmanagement API endpoints without valid OAuth2 or bearer-token authorization. Specifically, you can test if the endpoints /applications, /applications/{appID}, /subscriptions, and /subscriptions/{subID} are accessible with a forged or arbitrary bearer token.

Suggested commands include using curl to send HTTP requests with an invalid bearer token to these endpoints and checking if access is granted:

  • curl -H "Authorization: Bearer not-a-real-token" http://<NEF_IP>:<PORT>/applications
  • curl -H "Authorization: Bearer not-a-real-token" http://<NEF_IP>:<PORT>/applications/<appID>
  • curl -X POST -H "Authorization: Bearer not-a-real-token" http://<NEF_IP>:<PORT>/subscriptions -d '<subscription_data>'
  • curl -X DELETE -H "Authorization: Bearer not-a-real-token" http://<NEF_IP>:<PORT>/subscriptions/<subID>

If these requests succeed without proper authorization errors, it indicates the vulnerability is present.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart