Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NRF root SBI endpoint POST /oauth2/token contains a parser-level type-confusion bug family. The handler in NFs/nrf/internal/sbi/api_accesstoken.go reflects over models.NrfAccessTokenAccessTokenReq, special-cases only plain string and NrfNfManagementNfType fields, and treats every other field as if it were a single models.PlmnId. The parsed *models.PlmnId is then assigned with reflect.Value.Set() to whichever field name the attacker put in the form body, which panics whenever the destination field's real type is incompatible (slice, different struct, primitive). Gin recovery converts each panic into HTTP 500, but the endpoint remains remotely panicable from a single unauthenticated form-encoded request and is repeatedly triggerable. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the free5GC NRF POST /oauth2/token endpoint is a parser‑level type‑confusion bug that causes a panic when the request body contains a field name that does not match the expected type. When this panic occurs, Gin’s recovery layer converts it into an HTTP 500 error. The flaw does not allow arbitrary code execution but disrupts service availability by causing the endpoint to crash on each bad request; the crash can be repeatedly triggered by an unauthenticated client sending a malformed form‑encoded payload.

Affected Systems

Affected vendors/products include free5gc:free5gc. The NRF component is vulnerable in all releases of free5GC before version 4.2.2. The issue is fixed in release 4.2.2 and later.

Risk and Exploitability

The CVSS score of 7.5 classifies this as high severity. EPSS is not available for this vulnerability and it is not listed in CISA’s KEV. Attackers can exploit the flaw remotely via the network by sending a simple form‑encoded POST request to /oauth2/token that contains a crafted field name. Since the request is unauthenticated and the endpoint remains panicable, the risk of disruption is real for compromised or hostile networks. However the attack surface is limited to anyone who can reach the NRF service from the network.

Generated by OpenCVE AI on May 27, 2026 at 19:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5GC to version 4.2.2 or later to apply the vendor fix.
  • Configure the NRF to require authentication for the /oauth2/token endpoint so that only authorized clients can send token requests.
  • Apply network controls to limit or block external access to the /oauth2/token endpoint until the patch is deployed.

Generated by OpenCVE AI on May 27, 2026 at 19:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f8qv-7x5w-qr48 free5GC NRF: type-confusion panic in POST /oauth2/token structured-form parser via Reflect.Set on incompatible types
History

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NRF root SBI endpoint POST /oauth2/token contains a parser-level type-confusion bug family. The handler in NFs/nrf/internal/sbi/api_accesstoken.go reflects over models.NrfAccessTokenAccessTokenReq, special-cases only plain string and NrfNfManagementNfType fields, and treats every other field as if it were a single models.PlmnId. The parsed *models.PlmnId is then assigned with reflect.Value.Set() to whichever field name the attacker put in the form body, which panics whenever the destination field's real type is incompatible (slice, different struct, primitive). Gin recovery converts each panic into HTTP 500, but the endpoint remains remotely panicable from a single unauthenticated form-encoded request and is repeatedly triggerable. This vulnerability is fixed in 4.2.2.
Title free5GC: NRF POST /oauth2/token structured-form parser type-confusion panic family (Reflect.Set on incompatible types)
Weaknesses CWE-20
CWE-755
CWE-843
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:50:51.669Z

Reserved: 2026-05-05T19:00:06.023Z

Link: CVE-2026-44325

cve-icon Vulnrichment

Updated: 2026-05-27T17:49:58.523Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T17:16:37.910

Modified: 2026-06-17T10:50:30.380

Link: CVE-2026-44325

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:30:05Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-755

    Improper Handling of Exceptional Conditions

  • CWE-843

    Access of Resource Using Incompatible Type ('Type Confusion')