CVE-2026-44320

7.3 HIGH

free5GC is an open-source implementation of the 5G core network

Published: 2026-05-27 · Last updated: 2026-05-28

Severity and scoring

CVSS: 7.3 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-306, CWE-862

Affected products

Vendor	Product
free5gc	free5gc

Description

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid NotifId, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime ServiceList does not declare it (it lists only nnef-pfdmanagement and nnef-oam). This vulnerability is fixed in 4.2.2.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44320
[Exploit reference]https://github.com/free5gc/free5gc/issues/860
[Vendor advisory]https://github.com/free5gc/free5gc/security/advisories/GHSA-wqfh-gq79-j8mf
[Patch]https://github.com/free5gc/nef/pull/24
[Vendor advisory]https://github.com/free5gc/free5gc/security/advisories/GHSA-wqfh-gq79-j8mf

Related CVEs

Same vendor

CVE-2026-44330 — free5GC is an open-source implementation of the 5G core network (10.0 CRITICAL)
CVE-2026-44329 — free5GC is an open-source implementation of the 5G core network (10.0 CRITICAL)
CVE-2026-44328 — free5GC is an open-source implementation of the 5G core network (8.2 HIGH)
CVE-2026-44327 — free5GC is an open-source implementation of the 5G core network (10.0 CRITICAL)
CVE-2026-44326 — free5GC is an open-source implementation of the 5G core network (9.4 CRITICAL)

Same CWE

CVE-2026-12105 — Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplicat...
CVE-2026-53866 — OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators ... (8.1 HIGH)
CVE-2026-53851 — OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite... (5.3 MEDIUM)
CVE-2026-53850 — OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated caller... (5.5 MEDIUM)
CVE-2026-53844 — OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated call... (6.5 MEDIUM)