Unauthorized Access in free5GC Network Functions by Open Source Vendor
CVE-2026-44326

9.4CRITICAL

Key Information:

Vendor

Free5gc

Status
Free5gc
Vendor
CVE Published:
27 May 2026

What is CVE-2026-44326?

The free5GC platform, an open-source implementation of the 5G core network, contains a significant vulnerability that allows network attackers to manipulate API access. Prior to version 4.2.2, the NEF failed to enforce proper OAuth2/bearer token authorization on the 3gpp-traffic-influence API. This weakness permits malicious users to create, read, update, or delete traffic-influence subscriptions without any authorization header, or with an invalid bearer token, posing a crucial risk to network operability and security. Furthermore, attackers can exploit this vulnerability even if configurations intended to disable access are in place, leading to exposure of sensitive traffic steering functionalities. Version 4.2.2 addresses and resolves this critical issue.

Affected Version(s)

free5gc < 4.2.2

References

https://github.com/free5gc/free5gc/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/free5gc/free5gc/issues/859
x_refsource_MISC
https://github.com/free5gc/nef/pull/23
x_refsource_MISC

CVSS V3.1

Score:
9.4
Severity:
CRITICAL
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.