Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44320

CVE-2026-44320: free5GC NEF Auth Bypass Vulnerability

CVE-2026-44320 is an authentication bypass flaw in free5GC's Network Exposure Function (NEF) that allows attackers to send forged callbacks with arbitrary tokens. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-44320 Overview

CVE-2026-44320 affects free5GC, an open-source implementation of the 5G core network. The Network Exposure Function (NEF) mounts the nnef-callback route group without inbound OAuth2 or bearer-token authorization. An attacker can submit a forged bearer token such as Authorization: Bearer not-a-real-token and reach the Session Management Function (SMF) callback handler. The callback body is then parsed and dispatched into NEF business logic instead of being rejected at the authentication boundary. The vulnerability is fixed in free5GC version 4.2.2.

Critical Impact

Forged callbacks can manipulate real subscription state in the 5G core network without any valid producer NF authentication.

Affected Products

  • free5GC versions prior to 4.2.2
  • free5GC NEF component (nnef-callback route group)
  • 5G core deployments exposing NEF Service-Based Interface (SBI) endpoints

Discovery Timeline

  • 2026-05-27 - CVE-2026-44320 published to NVD
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-44320

Vulnerability Analysis

The vulnerability resides in free5GC's NEF, which exposes Service-Based Interface (SBI) routes to other 5G core network functions. The nnef-callback route group is registered in the HTTP router without any inbound authentication middleware. As a result, any HTTP client that reaches the NEF SBI endpoint can invoke SMF callback handlers regardless of token validity. The handler parses the callback body and dispatches it into NEF business logic, modifying subscription state tied to legitimate producer NFs.

This flaw is classified under [CWE-306] Missing Authentication for Critical Function. The route group is reachable even when the runtime ServiceList does not declare it. The ServiceList exposes only nnef-pfdmanagement and nnef-oam, yet nnef-callback remains routable on the same listener.

Root Cause

The root cause is the absence of OAuth2 or bearer-token validation middleware on the nnef-callback route group at registration time. NEF does not verify the producer NF identity before processing callback content. The same defect pattern appears across other NEF SBI route groups in affected versions, indicating a systemic gap in the authentication boundary.

Attack Vector

An attacker with network access to the NEF SBI endpoint sends a crafted HTTP POST to the SMF callback route. The request carries an arbitrary Authorization: Bearer header that is never validated. If the attacker guesses or obtains a valid NotifId, the forged callback acts on real subscription state. Exploitation requires no privileges and no user interaction.

The vulnerability manifests in the NEF router registration logic. See the GitHub Security Advisory and the GitHub Pull Request for technical details on the fix.

Detection Methods for CVE-2026-44320

Indicators of Compromise

  • HTTP requests to NEF nnef-callback paths carrying malformed or non-issuer bearer tokens
  • SMF callback notifications arriving from source addresses outside the expected producer NF range
  • Unexpected changes to subscription state without correlated legitimate producer NF activity
  • Successful HTTP 200 responses on nnef-callback routes when the runtime ServiceList does not advertise the service

Detection Strategies

  • Inspect NEF access logs for Authorization: Bearer headers that fail offline JWT signature verification
  • Correlate NotifId values in callback requests against issued notification subscriptions to identify forged identifiers
  • Compare advertised ServiceList entries against actually reachable route groups on the NEF listener

Monitoring Recommendations

  • Enable structured logging on all NEF SBI route handlers including request headers and source IPs
  • Forward NEF and SMF logs to a centralized analytics platform for cross-NF correlation
  • Alert on callback requests originating from outside the 5G core service mesh CIDR
  • Track baseline callback volume per producer NF and flag deviations

How to Mitigate CVE-2026-44320

Immediate Actions Required

  • Upgrade free5GC to version 4.2.2 or later, which adds inbound authentication middleware to the nnef-callback route group
  • Restrict network access to NEF SBI endpoints using firewall rules or service mesh policies that permit only known 5G core NFs
  • Rotate any NotifId values that may have been exposed during the vulnerable window

Patch Information

The fix is included in free5GC 4.2.2. The upstream change attaches OAuth2 bearer-token validation to the nnef-callback route group and ensures the route is only mounted when the corresponding service is declared in the runtime ServiceList. Review the GitHub Pull Request and the GitHub Issue Discussion for implementation specifics.

Workarounds

  • Deploy a reverse proxy in front of NEF that enforces bearer-token validation on nnef-callback paths before forwarding requests
  • Apply mutual TLS between NEF and producer NFs to reject unauthenticated callers at the transport layer
  • Use network policies to drop traffic to nnef-callback routes from any source that is not an authorized SMF instance
bash
# Example NetworkPolicy restricting NEF SBI ingress to SMF pods
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: nef-sbi-restrict
  namespace: free5gc
spec:
  podSelector:
    matchLabels:
      nf: nef
  ingress:
    - from:
        - podSelector:
            matchLabels:
              nf: smf
      ports:
        - protocol: TCP
          port: 8000
EOF

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne