PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44330 free5gc CVE debrief

CVE-2026-44330 is a critical authentication bypass vulnerability in free5GC, an open-source 5G core network implementation. The Network Exposure Function (NEF) component mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization, allowing unauthenticated network attackers to read Packet Flow Description (PFD) application data and manipulate PFD change-notification subscriptions using arbitrary or forged bearer tokens. This vulnerability affects versions prior to 4.2.2 and was published on May 27, 2026. The root cause is the absence of authentication middleware on a production-intended API path that operators expect to be protected by OAuth2. The vulnerability is distinct from related NEF SBI findings because the nnef-pfdmanagement route is properly declared in the runtime ServiceList, indicating it was intended for production use. Successful exploitation requires network access to the NEF Service-Based Interface (SBI). The vulnerability is fixed in free5GC version 4.2.2.

Vendor
free5gc
Product
Unknown
CVSS
CRITICAL 10
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-28
Advisory published
2026-05-27
Advisory updated
2026-05-28

Who should care

Telecommunications operators deploying free5GC-based 5G core networks; security teams responsible for 5G infrastructure; network architects designing SBI security controls; compliance auditors evaluating 3GPP security requirement implementation.

Technical summary

The free5GC NEF component in versions prior to 4.2.2 fails to enforce OAuth2/bearer-token authentication on the nnef-pfdmanagement route group. This production-intended API path, declared in the runtime ServiceList, exposes GET /applications, GET /applications/{appID}, POST /subscriptions, and DELETE /subscriptions/{subID} endpoints without authorization checks. Attackers with network access to the NEF SBI can supply arbitrary bearer tokens to exfiltrate PFD application data and manipulate subscription state. The vulnerability stems from missing authentication middleware rather than configuration errors, and persists despite the NRF OAuth2 receiveFromNrf: true setting that operators expect to protect this route.

Defensive priority

critical

Recommended defensive actions

  • Upgrade free5GC to version 4.2.2 or later to obtain the authentication middleware fix for the nnef-pfdmanagement route group.
  • Verify that all NEF Service-Based Interface (SBI) endpoints require valid OAuth2 bearer tokens by reviewing authentication middleware configuration in production deployments.
  • Implement network segmentation to restrict access to NEF SBI interfaces to authorized network functions and administrative hosts only.
  • Monitor NEF access logs for anomalous requests to /applications and /subscriptions endpoints, particularly those using invalid or unexpected bearer tokens.
  • Conduct authentication and authorization testing on all NEF API route groups to identify any additional unprotected endpoints.
  • Review NRF OAuth2 configuration to ensure receiveFromNrf: true setting is properly enforced across all declared service routes.

Evidence notes

Vulnerability description confirms the nnef-pfdmanagement route group lacks OAuth2/bearer-token authorization middleware. The route is declared in the runtime ServiceList, distinguishing it from other unprotected NEF routes. CVSS 10.0 reflects network attack vector, low complexity, no privileges required, no user interaction, and changed scope with high impact to confidentiality, integrity, and availability. CWE-863 (Incorrect Authorization) identified as secondary weakness. Fix version 4.2.2 confirmed in advisory.

Official resources

2026-05-27T17:16:38.713Z