Unauthorized Access in Free5GC's NEF API Exposes Core Network Functions
CVE-2026-44315

9.4CRITICAL

Key Information:

Vendor

Free5gc

Status
Free5gc
Vendor
CVE Published:
27 May 2026

What is CVE-2026-44315?

The NEF (Network Exposure Function) of free5GC, an open-source 5G core network implementation, is susceptible to unauthorized access due to improper OAuth2/bearer-token authorization handling prior to version 4.2.2. Network attackers with access to the Service Based Interface (SBI) can exploit this vulnerability, enabling them to create, read, and delete PFD-management transaction states with a forged or arbitrary bearer token. Importantly, even if operators have configured their ServiceList to disable the service, the route group remains publicly accessible, potentially exposing sensitive operations to exploitation.

Affected Version(s)

free5gc < 4.2.2

References

https://github.com/free5gc/free5gc/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/free5gc/free5gc/issues/858
x_refsource_MISC
https://github.com/free5gc/nef/pull/23
x_refsource_MISC

CVSS V3.1

Score:
9.4
Severity:
CRITICAL
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.