Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-oam route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can hit the OAM route with no Authorization header at all and the handler returns 200 OK. The current OAM handler is a stub that returns null, but the structural defect is route-group-scoped: the entire OAM route group has no inbound auth middleware, so every future OAM operation added to this group inherits the missing auth boundary by default. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 4.2.2 of free5GC the NEF component mounts the nnef-oam route group without any inbound OAuth2 or bearer-token authentication. Requests that omit the Authorization header are accepted and the handler returns 200 OK. The handler is currently a stub but the flaw is structural: every future OAM route added to this group inherits the missing authentication boundary by default. This creates a missing authentication (CWE-306) and missing authorization (CWE-862) weakness that allows an attacker to access the administrative interface of NEF over the Service‐Based Interface (SBI).

Affected Systems

The affected product is free5GC version 4.2.1 and earlier. The vulnerability is limited to the NEF service’s nnef-oam route group and does not impact other components of the free5GC stack. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 10 indicates that the vulnerability is criticial. Exploitation requires network-level reachability to the NEF over SBI but no credentials or special privileges are needed; the absence of an authentication middleware means an attacker can send unauthenticated HTTP requests directly to the OAM endpoints. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, but the high CVSS and the administrative nature of the affected endpoints make it a priority to mitigate.

Generated by OpenCVE AI on May 27, 2026 at 19:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5GC to version 4.2.2 or later, which adds OAuth2 bearer‑token authentication to the NEF nnef‑oam route group.
  • Verify that the upgraded NEF component requires OAuth2 authorization for all OAM endpoints and that no unauthenticated pathways remain.
  • If an upgrade cannot be performed immediately, block unauthenticated traffic to the NEF OAM service endpoints using network firewall or access‑control lists.

Generated by OpenCVE AI on May 27, 2026 at 19:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cmpj-2x3g-m7g3 free5GC's NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler
History

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-oam route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can hit the OAM route with no Authorization header at all and the handler returns 200 OK. The current OAM handler is a stub that returns null, but the structural defect is route-group-scoped: the entire OAM route group has no inbound auth middleware, so every future OAM operation added to this group inherits the missing auth boundary by default. This vulnerability is fixed in 4.2.2.
Title free5GC: NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler
Weaknesses CWE-306
CWE-862
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T14:40:53.383Z

Reserved: 2026-05-05T19:00:06.023Z

Link: CVE-2026-44327

cve-icon Vulnrichment

Updated: 2026-05-28T14:39:37.729Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T17:16:38.203

Modified: 2026-06-17T10:50:30.593

Link: CVE-2026-44327

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:30:05Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function

  • CWE-862

    Missing Authorization