Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) to read PFD application data via GET /applications and GET /applications/{appID}, and to create or delete PFD change-notification subscriptions via POST /subscriptions and DELETE /subscriptions/{subID}. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. Unlike the OAM and traffic-influence groups, nnef-pfdmanagement IS declared in the runtime ServiceList, so this is the production-intended path that operators expect to be protected by OAuth2 setting receive from NRF: true -- and it is not. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The free5GC implementation of the 5G core network contains a flaw in the NEF component where the nnef‑pfdmanagement API route group is mounted without enforcing OAuth2 bearer‑token authentication. By sending HTTP requests with any bearer token to endpoints such as GET /applications, GET /applications/{appID}, POST /subscriptions, or DELETE /subscriptions/{subID}, an attacker who can reach the NEF Service Based Interface (SBI) can read personal flow information data and create or delete PFD change‑notification subscriptions. This grants unauthorized disclosure of user flow data and manipulation of subscription state, although it does not provide code execution or full network takeover. The weakness is a classic "incorrect authorization" (CWE‑863).

Affected Systems

free5GC (free5gc) versions before 4.2.2. The vulnerability is present in the NEF component of the open‑source 5G core implementation prior to the 4.2.2 release; it has been fixed in 4.2.2.

Risk and Exploitability

The CVSS base score of 10 indicates that exploitation is trivial for an attacker with network access to the NEF SBI. EPSS is not provided, and the vulnerability is not included in the CISA KEV catalog, but the lack of authentication means that any host with connectivity to the NEF service can construct forged bearer tokens and gain the described privileges. The attack vector is purely network‑based; no privileged local access is required. Given the severe impact and zero‑click requirement from a reachable endpoint, remediation must be performed immediately to prevent uncontrolled disclosure or subscription modification.

Generated by OpenCVE AI on May 27, 2026 at 19:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5GC to version 4.2.2 or later.
  • Verify that the NEF component is configured to enforce OAuth2 bearer‑token authentication on all API routes, especially the nnef‑pfdmanagement group.
  • Restrict external network access to the NEF SBI endpoints to trusted networks or use a firewall/ACL until the patch is applied.

Generated by OpenCVE AI on May 27, 2026 at 19:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rwww-x45w-p52w free5GC's NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions
History

Thu, 28 May 2026 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) to read PFD application data via GET /applications and GET /applications/{appID}, and to create or delete PFD change-notification subscriptions via POST /subscriptions and DELETE /subscriptions/{subID}. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. Unlike the OAM and traffic-influence groups, nnef-pfdmanagement IS declared in the runtime ServiceList, so this is the production-intended path that operators expect to be protected by OAuth2 setting receive from NRF: true -- and it is not. This vulnerability is fixed in 4.2.2.
Title free5GC: NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T18:47:32.545Z

Reserved: 2026-05-05T19:00:06.023Z

Link: CVE-2026-44330

cve-icon Vulnrichment

Updated: 2026-05-27T18:47:12.477Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T17:16:38.713

Modified: 2026-05-28T13:06:07.270

Link: CVE-2026-44330

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:30:05Z

Weaknesses