PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44327 free5gc CVE debrief

## Summary free5GC NEF (Network Exposure Function) prior to version 4.2.2 exposes the `nnef-oam` route group without OAuth2/bearer-token authorization. A network attacker with reachability to the NEF Service-Based Interface (SBI) can access OAM (Operations, Administration, and Maintenance) endpoints without providing any Authorization header, receiving HTTP 200 OK responses. While the current OAM handler is a stub returning null, the structural defect affects the entire route group—meaning any future OAM operations added to this group will inherit the missing authentication boundary by default. This represents a critical architectural vulnerability in 5G core network infrastructure. ## Technical Details - **Affected Component**: free5GC NEF (Network Exposure Function) - **Vulnerable Route Group**: `nnef-oam` - **Authentication Gap**: Missing OAuth2/bearer-token middleware on inbound requests - **Attack Vector**: Network-based, no authentication required - **Affected Versions**: Prior to 4.2.2 - **Fixed Version**: 4.2.2 The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization). The CVSS 3.1 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), scope change (S:C), low confidentiality impact (C:L), high integrity impact (I:H), and high availability impact (A:H). ## Impact Assessment The critical severity (CVSS 10.0) reflects the combination of: - **Network accessibility**: NEF SBI interfaces are typically exposed to internal 5G core network segments - **No authentication barrier**: Complete absence of authorization checks - **Structural defect**: Future OAM functionality will automatically inherit the vulnerability - **High integrity/availability impact**: OAM functions typically control operational state of network functions In 5G architectures, the NEF serves as a gateway between external applications and 5G core network capabilities. Unauthorized OAM access could enable monitoring, configuration changes, or operational disruption of network exposure services. ## Timeline - **CVE Published**: 2026-05-27T17:16:38.

Vendor
free5gc
Product
Unknown
CVSS
CRITICAL 10
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Telecommunications operators deploying free5GC-based 5G core networks; network security architects designing 5G service mesh authentication; DevOps teams managing NEF deployments; security operations centers monitoring 5G core infrastructure for unauthorized access attempts

Technical summary

The free5GC NEF component mounts the `nnef-oam` route group without inbound OAuth2/bearer-token authorization middleware. Network attackers can reach OAM endpoints on the SBI without any Authorization header and receive HTTP 200 OK responses. The vulnerability is structural—future OAM operations added to this route group inherit the missing authentication boundary. Fixed in version 4.2.2.

Defensive priority

critical

Recommended defensive actions

  • Upgrade free5GC to version 4.2.2 or later to obtain the authentication middleware fix
  • Review NEF SBI network segmentation to ensure least-privilege access controls
  • Audit OAM route group implementations for similar authentication gaps in custom deployments
  • Monitor for unauthorized access attempts to `/nnef-oam` endpoints in access logs
  • Verify that any custom OAM handlers added to the route group implement proper authorization checks
  • Conduct architecture review of 5G core service mesh to validate OAuth2 enforcement across all SBI interfaces

Evidence notes

Vulnerability description and technical details sourced from official CVE record and NVD entry. Fix confirmation via GitHub security advisory and pull request. CVSS vector and CWE classifications from NVD source data.

Official resources

2026-05-27