Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-pfd-management API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, and delete PFD-management transaction state with a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token). The route group is also reachable even when the running config's ServiceList does not declare it, so operators who think they disabled the service via config are still exposed. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

free5GC's NEF component exposes the 3GPP PFD‑management API without requiring inbound OAuth2 or bearer‑token authentication. An attacker with network access to the NEF Service‑Based Interface can send HTTP requests containing any forged bearer token, for example \"Authorization: Bearer not-a-real-token\", and thus create, read, or delete PFD‑transaction state. This flaw allows an adversary to modify policy‑filter‑detail data used for traffic analytics and billing, potentially leading to privacy violations, incorrect accounting, or denial of service if critical PFD records are tampered with. The weakness is categorized as CWE‑862, Unchecked Input for Authorization.

Affected Systems

All releases of free5GC before version 4.2.2 are affected. The vulnerability persists even when the ServiceList configuration does not declare the PFD‑management route group, because the HTTP endpoint remains reachable. The only remedy is to upgrade to version 4.2.2 or later, where proper bearer‑token validation is enforced.

Risk and Exploitability

The CVSS base score is 9.4, indicating a critical severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The attack vector is remote network‑based; any host that can reach the NEF SBI interface can abuse the unauthenticated API by forging a bearer token. Exfiltration or manipulation of data requires no privileged credentials or user interaction, making exploitation straightforward for an attacker who can reach the service.

Generated by OpenCVE AI on May 27, 2026 at 21:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5GC to version 4.2.2 or later, where the PFD‑management API is protected by proper bearer‑token authorization.
  • If upgrading immediately is not possible, block or restrict inbound traffic to the NEF SBI interface using firewall or network segmentation so that only trusted network segments can reach the API.
  • Remove or disable the PFD‑management route group from the NEF deployment configuration to prevent the endpoint from being reachable, even if the ServiceList reference claims it is disabled.
  • Consider placing an API gateway or authentication proxy in front of NEF to enforce OAuth2 validation if the application cannot be updated at once.

Generated by OpenCVE AI on May 27, 2026 at 21:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5f62-53r8-qrqf free5GC's NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions
History

Thu, 28 May 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*

Thu, 28 May 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-pfd-management API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, and delete PFD-management transaction state with a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token). The route group is also reachable even when the running config's ServiceList does not declare it, so operators who think they disabled the service via config are still exposed. This vulnerability is fixed in 4.2.2.
Title free5GC: NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:22:44.713Z

Reserved: 2026-05-05T19:00:06.022Z

Link: CVE-2026-44315

cve-icon Vulnrichment

Updated: 2026-05-27T17:19:22.684Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T17:16:36.430

Modified: 2026-05-28T18:34:15.023

Link: CVE-2026-44315

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:15:03Z

Weaknesses