Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44330

CVE-2026-44330: free5GC NEF Auth Bypass Vulnerability

CVE-2026-44330 is an authentication bypass vulnerability in free5GC's NEF component allowing attackers to use forged tokens to access PFD data. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-44330 Overview

CVE-2026-44330 is a missing authorization vulnerability [CWE-863] in free5GC, an open-source implementation of the 5G core network. The flaw resides in the Network Exposure Function (NEF) component, where the nnef-pfdmanagement route group is mounted without inbound OAuth2 or bearer-token authorization middleware. Any network-reachable attacker on the Service-Based Interface (SBI) can submit a forged or arbitrary bearer token to access Packet Flow Description (PFD) data and manipulate subscriptions. The vulnerability affects all versions prior to 4.2.2.

Critical Impact

Unauthenticated network attackers can read PFD application data and create or delete PFD change-notification subscriptions on the NEF SBI without valid credentials.

Affected Products

  • free5GC versions prior to 4.2.2
  • free5GC Network Exposure Function (NEF) component
  • Deployments exposing the nnef-pfdmanagement route group on the SBI

Discovery Timeline

  • 2026-05-27 - CVE-2026-44330 published to NVD
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-44330

Vulnerability Analysis

The vulnerability stems from improper authorization enforcement on the NEF nnef-pfdmanagement API route group. In a correctly configured 5G core, the NEF advertises this service through the Network Repository Function (NRF) and expects OAuth2 token validation on inbound requests. The route group is registered in the runtime ServiceList with the receive from NRF: true setting, signaling that operators expect OAuth2 protection.

In affected versions, the route group is mounted without any inbound authorization middleware. The server accepts any string supplied in the Authorization: Bearer header, including syntactically invalid or fabricated tokens. Requests are processed as if authenticated, exposing four production-intended endpoints to unauthenticated callers.

This flaw shares its root cause with other NEF SBI findings in free5GC, but it is more impactful because nnef-pfdmanagement is the operator-facing production path that operators rely on for PFD distribution between the NEF and the Session Management Function (SMF).

Root Cause

The nnef-pfdmanagement route group is registered on the HTTP router without attaching the OAuth2 bearer-token validation middleware. As a result, the server skips token signature verification, audience checks, and scope enforcement before dispatching requests to handlers.

Attack Vector

An attacker requires network reachability to the NEF SBI listener. The attacker sends HTTP requests with an arbitrary Authorization: Bearer header value to the following endpoints:

  • GET /applications - enumerate PFD application data
  • GET /applications/{appID} - read PFD data for a specific application
  • POST /subscriptions - create PFD change-notification subscriptions
  • DELETE /subscriptions/{subID} - remove existing subscriptions

No valid OAuth2 token issued by the NRF is required. See the free5GC GitHub Security Advisory for additional technical detail.

Detection Methods for CVE-2026-44330

Indicators of Compromise

  • Inbound HTTP requests to NEF nnef-pfdmanagement endpoints carrying malformed or unverifiable bearer tokens
  • POST /subscriptions or DELETE /subscriptions/{subID} calls originating from network sources not registered as 5G network functions in the NRF
  • Unexpected enumeration patterns hitting GET /applications and GET /applications/{appID} from a single source

Detection Strategies

  • Inspect NEF access logs for requests where the Authorization header is present but the token fails downstream signature or issuer validation when replayed against the NRF
  • Correlate NEF SBI client IP addresses against the authorized list of network functions registered with the NRF
  • Alert on PFD subscription churn that does not align with provisioned SMF instances

Monitoring Recommendations

  • Enable verbose audit logging on the NEF SBI listener and forward logs to a centralized analytics platform
  • Monitor north-south and east-west traffic to the NEF for connections originating outside the trusted 5G core network segment
  • Track creation and deletion rates of PFD subscriptions to baseline normal operator activity

How to Mitigate CVE-2026-44330

Immediate Actions Required

  • Upgrade free5GC to version 4.2.2 or later, which restores OAuth2 enforcement on the nnef-pfdmanagement route group
  • Restrict network access to the NEF SBI listener to authorized 5G network functions using firewall rules or service mesh policies
  • Rotate any OAuth2 signing keys used by the NRF if unauthorized subscription activity is suspected

Patch Information

The maintainers fixed the missing authorization middleware in free5GC 4.2.2. Operators should review the free5GC GitHub Security Advisory GHSA-rwww-x45w-p52w for upgrade guidance and verify that the patched NEF binary attaches OAuth2 middleware to all routes declared in the runtime ServiceList.

Workarounds

  • Place the NEF SBI behind a reverse proxy or API gateway that validates OAuth2 tokens against the NRF before forwarding requests
  • Enforce mutual TLS (mTLS) on the SBI to limit connections to known network function certificates
  • Segment the 5G core network so that the NEF SBI is unreachable from untrusted networks until the patch is applied
bash
# Example firewall rule restricting NEF SBI to known SMF and AF IP ranges
iptables -A INPUT -p tcp --dport 8000 -s 10.0.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne