Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44326

CVE-2026-44326: free5GC NEF Auth Bypass Vulnerability

CVE-2026-44326 is an authentication bypass flaw in free5GC's NEF component that allows attackers to manipulate traffic-influence subscriptions without proper authorization. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-44326 Overview

CVE-2026-44326 is a missing authorization vulnerability [CWE-862] in free5GC, an open-source implementation of the 5G core network. The Network Exposure Function (NEF) mounts the 3gpp-traffic-influence API without enforcing inbound OAuth2 or bearer-token authorization. Any network attacker who can reach NEF on the Service-Based Interface (SBI) can create, read, modify, and delete traffic-influence subscriptions. Requests succeed with no Authorization header or with a forged bearer token. The route group remains reachable even when operators omit it from the running config's ServiceList. The issue is fixed in free5GC version 4.2.2.

Critical Impact

Unauthenticated attackers with SBI network access can manipulate 5G traffic-steering subscriptions, including AnyUeInd=true entries that affect group-wide or any-UE traffic routing.

Affected Products

  • free5GC versions prior to 4.2.2
  • free5GC Network Exposure Function (NEF) component
  • Deployments exposing the 3gpp-traffic-influence API on the SBI

Discovery Timeline

  • 2026-05-27 - CVE-2026-44326 published to NVD
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-44326

Vulnerability Analysis

The vulnerability resides in the free5GC NEF, which exposes the 3gpp-traffic-influence API used to influence routing of traffic for specific UEs or groups. The HTTP route group serving this API is mounted without an authorization middleware. As a result, the NEF accepts requests that carry no Authorization header at all, as well as requests using arbitrary forged values such as Authorization: Bearer not-a-real-token. No OAuth2 token validation occurs against the NRF, and no signature or audience check filters out unauthenticated callers.

Attackers can issue POST, GET, PATCH, and DELETE requests against traffic-influence subscriptions. This includes creating subscriptions with AnyUeInd=true, which target any UE or group-level traffic steering rather than a single device. A secondary defect compounds the exposure: the route group is registered unconditionally, so the API remains reachable even when operators remove the service from the ServiceList in the running configuration.

Root Cause

The root cause is missing authorization enforcement [CWE-862] at the HTTP routing layer of the NEF 3gpp-traffic-influence service. The handlers were attached without the bearer-token verification step required by 3GPP SBI specifications. A configuration parsing flaw also fails to honor ServiceList, so disabling the service in config does not detach the routes.

Attack Vector

Exploitation requires network reachability to the NEF SBI endpoint. An attacker positioned on the operator's SBI network, an adjacent NF, or a compromised internal host sends HTTP requests directly to the traffic-influence URIs. No credentials, prior compromise, or user interaction are required. Successful requests allow the attacker to redirect, monitor, or disrupt application traffic for arbitrary subscribers, undermining integrity and availability of the 5G data plane.

See the GitHub Security Advisory GHSA-3p28-73q7-45xp for the maintainer's technical write-up.

Detection Methods for CVE-2026-44326

Indicators of Compromise

  • HTTP requests to NEF 3gpp-traffic-influence paths lacking a valid OAuth2 token issued by the NRF.
  • Requests presenting obviously malformed bearer tokens such as Bearer not-a-real-token or empty token values.
  • Unexpected creation of traffic-influence subscriptions with AnyUeInd=true or unfamiliar afId values.
  • PATCH or DELETE operations on subscription IDs from source addresses outside the approved AF allowlist.

Detection Strategies

  • Inspect NEF access logs for 3gpp-traffic-influence URIs and correlate every request with a corresponding NRF-issued access token.
  • Deploy SBI-aware network monitoring that validates JWT signatures on the wire and alerts on unsigned or invalid tokens.
  • Diff active traffic-influence subscriptions against an authoritative inventory of approved Application Function (AF) entries.

Monitoring Recommendations

  • Forward NEF HTTP and audit logs to a centralized analytics platform and alert on 401/403 anomalies or, conversely, 2xx responses to unauthenticated callers.
  • Baseline normal AF source IPs and subscription volumes, then alert on deviations such as AnyUeInd=true subscriptions from new sources.
  • Continuously verify that the NEF version reported by health endpoints is 4.2.2 or later across all deployments.

How to Mitigate CVE-2026-44326

Immediate Actions Required

  • Upgrade free5GC to version 4.2.2 or later, which adds OAuth2/bearer-token enforcement on the 3gpp-traffic-influence routes.
  • Restrict network reachability to the NEF SBI using firewall rules or service mesh policies so only authorized NFs and AFs can connect.
  • Audit existing traffic-influence subscriptions and remove any entries not tied to a known, authorized Application Function.

Patch Information

The maintainers fixed the issue in free5GC 4.2.2. The corresponding code change is published in free5gc/nef pull request #23, which adds bearer-token validation to the affected routes and respects the ServiceList configuration. Operators should review the GitHub issue report for upgrade notes.

Workarounds

  • Place an authenticating reverse proxy or service mesh sidecar in front of NEF to reject requests missing valid NRF-issued tokens.
  • Apply strict network segmentation so the NEF SBI port is only reachable from approved Application Function IP ranges.
  • Until patched, disable Internet or external exposure of the NEF and treat the 3gpp-traffic-influence service as compromised in any shared environment.
bash
# Configuration example: upgrade and verify free5GC NEF
git -C /opt/free5gc fetch --tags
git -C /opt/free5gc checkout v4.2.2
make nef

# Verify version after restart
curl -s http://nef.svc.local:8000/version

# Example firewall rule restricting SBI access to approved AFs
iptables -A INPUT -p tcp --dport 8000 -s 10.0.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne