Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-traffic-influence API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, patch, and delete traffic-influence subscriptions either with no Authorization header at all, or with a forged bearer token (e.g. Authorization: Bearer not-a-real-token). This includes creating AnyUeInd=true subscriptions intended to affect group / any-UE traffic steering. The route group is also reachable even when the running config's ServiceList does not declare it, so operators who think they disabled the service via config are still exposed. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

free5GC's Network Exposure Function exposes the 3gpp‑traffic‑influence API without bearer‑token authentication until version 4.2.2. An attacker who can reach the NEF over the SBI can send requests that create, read, patch, or delete traffic‑influence subscriptions with no Authorization header or with a forged token, including AnyUeInd subscriptions that can affect group or any‑UE traffic steering. As a result, an attacker can alter traffic steering for any UE or any group of UEs without having valid credentials.

Affected Systems

Affected vendor is free5GC, specifically the free5gc product prior to release 4.2.2. Any installation of free5GC older than or equal to 4.2.1 is exposed. No specific sub‑version ranges beyond the mention of 4.2.2 as the fixing release are provided.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.4, indicating a high‑severity flaw that can lead to unauthorized system‑level control. EPSS data are not available, and the issue has not been listed in the CISA KEV catalog. The attack can be performed over the network by an adversary who can reach NEF’s SBI interface; no local privilege or code execution is required. Because the API is reachable even when the ServiceList configuration does not declare it, operators may assume the service is disabled when it is not, further increasing the risk. Until a patch is applied, this represents a significant security exposure that can be exploited by internal or external actors with network access.

Generated by OpenCVE AI on May 27, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the free5GC implementation to version 4.2.2 or later, which adds mandatory OAuth2 bearer‑token authentication to the NEF traffic‑influence API.
  • Limit network traffic to the NEF SBI interface by applying firewall rules or network segmentation to ensure only trusted network segments or IP addresses can reach the API.
  • Continuously monitor NEF logs and network traffic for suspicious subscription creation, modification or deletion requests, and correlate them with known valid bearer tokens.

Generated by OpenCVE AI on May 27, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3p28-73q7-45xp free5GC's NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions
History

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*

Thu, 28 May 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-traffic-influence API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, patch, and delete traffic-influence subscriptions either with no Authorization header at all, or with a forged bearer token (e.g. Authorization: Bearer not-a-real-token). This includes creating AnyUeInd=true subscriptions intended to affect group / any-UE traffic steering. The route group is also reachable even when the running config's ServiceList does not declare it, so operators who think they disabled the service via config are still exposed. This vulnerability is fixed in 4.2.2.
Title free5GC: NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:53:01.419Z

Reserved: 2026-05-05T19:00:06.023Z

Link: CVE-2026-44326

cve-icon Vulnrichment

Updated: 2026-05-27T17:52:57.631Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T17:16:38.053

Modified: 2026-06-17T10:50:30.483

Link: CVE-2026-44326

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:15:03Z

Weaknesses