Unauthorized Access in free5GC NEF Mounting Prior to Version 4.2.2
CVE-2026-44320

7.3HIGH

Key Information:

Vendor

Free5gc

Status
Free5gc
Vendor
CVE Published:
27 May 2026

What is CVE-2026-44320?

The vulnerability in free5GC's Network Exposure Function (NEF) allows unauthorized access due to the improper handling of OAuth2/bearer-token authorization. Specifically, prior to version 4.2.2, the NEF mounts the nnef-callback route group without the necessary inbound authorization checks. This oversight permits attackers to use forged or arbitrary bearer tokens to access the SMF-callback handler. Consequently, malicious actors can bypass authentication boundaries, interacting with subscription states by exploiting known NotifIds. This issue arises from a lack of middleware safeguards and allows attackers to send crafted callbacks that can affect legitimate operations.

Affected Version(s)

free5gc < 4.2.2

References

https://github.com/free5gc/free5gc/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/free5gc/free5gc/issues/860
x_refsource_MISC
https://github.com/free5gc/nef/pull/24
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.