CVE-2026-44330 | THREATINT

Description

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) to read PFD application data via GET /applications and GET /applications/{appID}, and to create or delete PFD change-notification subscriptions via POST /subscriptions and DELETE /subscriptions/{subID}. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. Unlike the OAM and traffic-influence groups, nnef-pfdmanagement IS declared in the runtime ServiceList, so this is the production-intended path that operators expect to be protected by OAuth2 setting receive from NRF: true -- and it is not. This vulnerability is fixed in 4.2.2.

PUBLISHED Reserved 2026-05-05 | Published 2026-05-27 | Updated 2026-05-27 | Assigner GitHub_M

CRITICAL: 10.0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

Problem types

CWE-863: Incorrect Authorization

Product status

< 4.2.2

affected

References

github.com/...ree5gc/security/advisories/GHSA-rwww-x45w-p52w exploit

github.com/...ree5gc/security/advisories/GHSA-rwww-x45w-p52w

cve.org (CVE-2026-44330)

nvd.nist.gov (CVE-2026-44330)

Download JSON