Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid NotifId, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime ServiceList does not declare it (it lists only nnef-pfdmanagement and nnef-oam). This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

free5GC’s NEF component, before version 4.2.2, exposes the nnef‑callback route group without requiring OAuth2 bearer‑token authentication. An attacker can send a request containing any arbitrary token—such as Authorization: Bearer not-a-real-token—and the callback handler will process the body and dispatch it into NEF business logic. Consequently, forged callback requests can alter real subscription state because the system fails to verify the producer NF identity. This represents an authentication bypass (CWE‑306) and an authorization failure (CWE‑862), allowing the attacker to modify user data and service agreements without proper credentials.

Affected Systems

The vulnerability affects the free5GC open‑source 5G core network implementation, specifically the NEF module in releases prior to 4.2.2. All deployments of the free5GC NEF component running a version older than 4.2.2 are potentially exposed.

Risk and Exploitability

With a CVSS score of 7.3, the flaw is considered high severity. Although no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, the missing authentication boundary is a critical security gap. An attacker only needs to guess or obtain a valid NotifId and fabricate a bearer token to reach the SMF‑callback handler. Because the route group is reachable even when not declared in the runtime ServiceList, the attack path is straightforward and does not require additional exploits.

Generated by OpenCVE AI on May 27, 2026 at 19:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5GC to release 4.2.2 or later, where the NEF nnef‑callback route group is protected with OAuth2 bearer‑token authentication.
  • If upgrading immediately is not possible, reconfigure the NEF service to remove or disable the nnef‑callback route group until a patch is applied.
  • Verify that the NEF deployment validates the NF identity on inbound callbacks and monitor logs for unauthorized callback activity.

Generated by OpenCVE AI on May 27, 2026 at 19:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wqfh-gq79-j8mf free5GC's NEF nnef-callback route group is unauthenticated; forged callback requests are accepted into the processing path
History

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid NotifId, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime ServiceList does not declare it (it lists only nnef-pfdmanagement and nnef-oam). This vulnerability is fixed in 4.2.2.
Title free5GC: NEF nnef-callback route group is unauthenticated; forged callback requests are accepted into the processing path
Weaknesses CWE-306
CWE-862
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:44:48.702Z

Reserved: 2026-05-05T19:00:06.022Z

Link: CVE-2026-44320

cve-icon Vulnrichment

Updated: 2026-05-27T17:44:29.824Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-27T17:16:37.177

Modified: 2026-05-27T19:51:27.110

Link: CVE-2026-44320

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:30:35Z

Weaknesses