CVE-2026-44315 free5gc CVE debrief

Who should care

Telecommunications operators deploying free5GC 5G core networks, network security teams managing 5G infrastructure, and organizations using NEF services for network exposure should prioritize patching. The critical CVSS score (9.4) reflects the ease of exploitation over the network and high impact on integrity and availability of PFD management functions.

Technical summary

The free5GC NEF component prior to 4.2.2 fails to validate OAuth2 bearer tokens on the 3gpp-pfd-management API endpoint. An unauthenticated network attacker can manipulate PFD (Packet Flow Description) management transactions using arbitrary or forged tokens. The vulnerability persists regardless of ServiceList configuration, as the route group remains mounted even when not explicitly declared. The fix in 4.2.2 adds proper inbound authorization checks.

Defensive priority

critical

Recommended defensive actions

• Upgrade free5GC to version 4.2.2 or later to obtain the authorization fix
• Verify that OAuth2/bearer-token validation is enforced on all NEF API endpoints, particularly 3gpp-pfd-management
• Review network segmentation to restrict SBI access to authorized network functions only
• Audit existing PFD-management transaction state for unauthorized modifications if running affected versions
• Do not rely solely on ServiceList configuration to disable NEF services; apply the patched version
• Monitor logs for anomalous bearer tokens or unauthorized PFD-management API access attempts

Evidence notes

The vulnerability description is sourced from the official CVE record published by NVD on 2026-05-27. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H) indicates network attack vector with low complexity, no privileges required, and high impact to integrity and availability. The weakness is classified as CWE-862 (Missing Authorization). The fix is confirmed via GitHub security advisory GHSA-5f62-53r8-qrqf and pull request free5gc/nef#23.

Official resources