PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44326 free5gc CVE debrief

A critical authentication bypass vulnerability in free5GC's Network Exposure Function (NEF) allows unauthenticated network attackers to manipulate 5G traffic steering subscriptions. The 3gpp-traffic-influence API endpoint lacks OAuth2/bearer-token authorization enforcement, permitting arbitrary create, read, patch, and delete operations on traffic-influence subscriptions—including AnyUeInd=true subscriptions that affect group or any-UE traffic steering. Attackers can exploit this with no Authorization header or forged bearer tokens. The vulnerable route group remains accessible even when disabled in ServiceList configuration, creating a false sense of security for operators. This vulnerability affects free5GC versions prior to 4.2.2.

Vendor
free5gc
Product
Unknown
CVSS
CRITICAL 9.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Telecommunications operators deploying free5GC-based 5G core networks; network security teams managing SBI (Service-Based Interface) exposure; 5G infrastructure administrators responsible for NEF configuration and traffic steering policies; compliance teams ensuring 3GPP security requirements for network exposure functions.

Technical summary

The free5GC NEF (Network Exposure Function) implements the 3gpp-traffic-influence API without proper inbound authorization checks. The endpoint accepts requests lacking Authorization headers or containing arbitrary bearer tokens without validation against configured OAuth2 providers. This enables complete CRUD operations on traffic-influence subscriptions, including AnyUeInd=true subscriptions that apply to any UE or UE groups. The vulnerability persists regardless of ServiceList configuration, as the route group remains internally mounted. The fix in version 4.2.2 adds proper OAuth2/bearer-token authorization enforcement to the affected API endpoints.

Defensive priority

CRITICAL

Recommended defensive actions

  • Upgrade free5GC to version 4.2.2 or later to obtain the authorization enforcement fix
  • Review and audit existing traffic-influence subscriptions for unauthorized modifications
  • Implement network segmentation to restrict SBI (Service-Based Interface) access to authorized network functions only
  • Monitor NEF access logs for anomalous 3gpp-traffic-influence API requests, especially from unexpected source addresses
  • Verify that OAuth2/bearer-token validation is properly enforced on all NEF endpoints after patching
  • Conduct configuration review to ensure ServiceList settings align with intended service exposure, noting that this vulnerability bypasses such controls

Evidence notes

CVE published 2026-05-27T17:16:38.053Z; modified 2026-05-27T19:51:27.110Z. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H. CWE-862 (Missing Authorization) identified. Fix confirmed in free5GC 4.2.2 via GitHub security advisory and pull request.

Official resources

2026-05-27