CVE-2026-44320 free5gc CVE debrief

Who should care

Telecommunications operators deploying free5GC-based 5G core networks; security teams responsible for 5G infrastructure; network engineers managing NEF and SMF service interactions; compliance auditors evaluating 5G core authentication controls

Technical summary

The free5GC NEF component mounts the nnef-callback route group without inbound authentication middleware, allowing forged SMF callback requests with arbitrary bearer tokens to reach business logic handlers. An attacker who obtains or guesses a valid NotifId can manipulate real subscription state through unauthorized callback processing. The route group is accessible regardless of ServiceList declarations, expanding the attack surface beyond documented endpoints. Fixed in version 4.2.2 by adding proper OAuth2/bearer-token authorization to the callback route group.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade free5GC to version 4.2.2 or later to obtain the authentication middleware fix
• Review NEF route group configurations to ensure nnef-callback endpoints enforce OAuth2/bearer-token validation
• Audit runtime ServiceList declarations against actual exposed endpoints to identify undeclared reachable routes
• Implement network segmentation to restrict NEF callback endpoint access to authorized SMF instances only
• Monitor for anomalous callback requests to NEF endpoints, particularly those with invalid or unexpected bearer tokens
• Verify that all Service Based Interface (SBI) route groups in free5GC deployments have appropriate authentication middleware applied

Evidence notes

Official GitHub Security Advisory GHSA-wqfh-gq79-j8mf confirms the authentication bypass and fix in free5GC 4.2.2. NVD entry published 2026-05-27 with CVSS 7.3 (HIGH). CWE-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization) identified as applicable weaknesses.

Official resources