Vulnerability-Lookup

CVE-2026-44320 (GCVE-0-2026-44320)

Vulnerability from cvelistv5 – Published: 2026-05-27 15:48 – Updated: 2026-05-27 15:48

Title

free5GC: NEF nnef-callback route group is unauthenticated; forged callback requests are accepted into the processing path

Summary

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid NotifId, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime ServiceList does not declare it (it lists only nnef-pfdmanagement and nnef-oam). This vulnerability is fixed in 4.2.2.

Severity

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-306 - Missing Authentication for Critical Function
CWE-862 - Missing Authorization

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/free5gc/free5gc/security/advis…	x_refsource_CONFIRM
https://github.com/free5gc/free5gc/issues/860	x_refsource_MISC
https://github.com/free5gc/nef/pull/24	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
free5gc	free5gc	Affected: < 4.2.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "free5gc",
          "vendor": "free5gc",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.2.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid NotifId, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime ServiceList does not declare it (it lists only nnef-pfdmanagement and nnef-oam). This vulnerability is fixed in 4.2.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T15:48:22.446Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-wqfh-gq79-j8mf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-wqfh-gq79-j8mf"
        },
        {
          "name": "https://github.com/free5gc/free5gc/issues/860",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/free5gc/free5gc/issues/860"
        },
        {
          "name": "https://github.com/free5gc/nef/pull/24",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/free5gc/nef/pull/24"
        }
      ],
      "source": {
        "advisory": "GHSA-wqfh-gq79-j8mf",
        "discovery": "UNKNOWN"
      },
      "title": "free5GC: NEF nnef-callback route group is unauthenticated; forged callback requests are accepted into the processing path"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44320",
    "datePublished": "2026-05-27T15:48:22.446Z",
    "dateReserved": "2026-05-05T19:00:06.022Z",
    "dateUpdated": "2026-05-27T15:48:22.446Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44320\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-27T17:16:37.177\",\"lastModified\":\"2026-05-27T17:16:37.177\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid NotifId, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime ServiceList does not declare it (it lists only nnef-pfdmanagement and nnef-oam). This vulnerability is fixed in 4.2.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"},{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://github.com/free5gc/free5gc/issues/860\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/free5gc/free5gc/security/advisories/GHSA-wqfh-gq79-j8mf\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/free5gc/nef/pull/24\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-44320

Vulnerability from fkie_nvd - Published: 2026-05-27 17:16 - Updated: 2026-05-27 17:16

Severity

7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/free5gc/free5gc/issues/860
	security-advisories@github.com	https://github.com/free5gc/free5gc/security/advisories/GHSA-wqfh-gq79-j8mf
	security-advisories@github.com	https://github.com/free5gc/nef/pull/24

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid NotifId, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime ServiceList does not declare it (it lists only nnef-pfdmanagement and nnef-oam). This vulnerability is fixed in 4.2.2."
    }
  ],
  "id": "CVE-2026-44320",
  "lastModified": "2026-05-27T17:16:37.177",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-27T17:16:37.177",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/free5gc/free5gc/issues/860"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-wqfh-gq79-j8mf"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/free5gc/nef/pull/24"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        },
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-WQFH-GQ79-J8MF

Vulnerability from github – Published: 2026-05-08 22:46 – Updated: 2026-05-08 22:46

Summary

free5GC's NEF nnef-callback route group is unauthenticated; forged callback requests are accepted into the processing path

Details

Summary

free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid NotifId, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime ServiceList does not declare it (it lists only nnef-pfdmanagement and nnef-oam).

Details

Validated against the NEF container in the official Docker compose lab. - Running Docker image: free5gc/nef:v4.2.1 - Docker validation date: 2026-03-11

NEF advertises OAuth2 setting receive from NRF: true, yet the nnef-callback route group is mounted with no inbound auth middleware. The API layer reads the raw request body and deserializes it before any auth check, then the processor looks up subscription state by NotifId.

Code evidence (paths in free5gc/nef): - Callback route group mounted without auth middleware: NFs/nef/internal/sbi/server.go:64 - Callback route exposed at /notification/smf: NFs/nef/internal/sbi/api_callback.go:13 - API layer reads raw request bytes and deserializes them before any auth check: NFs/nef/internal/sbi/api_callback.go:23 - Processor looks up the subscription by NotifId: NFs/nef/internal/sbi/processor/callback.go:13 - NEF context only exposes outbound token acquisition (GetTokenCtx); there is no inbound authorization path: NFs/nef/internal/context/nef_context.go:153 - Config validation only allows nnef-pfdmanagement and nnef-oam: NFs/nef/pkg/factory/config.go:126

PoC

Reproduced against the running NEF at http://10.100.200.19:8000 using a fabricated bearer token.

Send a forged callback request:

curl -i \
  -H 'Authorization: Bearer not-a-real-token' \
  -H 'Content-Type: application/json' \
  --data '{"notifId":"forged-notif","eventNotifs":[]}' \
  http://10.100.200.19:8000/nnef-callback/v1/notification/smf

Observed output:

HTTP/1.1 404 Not Found
{"title":"Data not found","status":404,"detail":"Subscription is not found"}

The 404 is positive auth-bypass evidence: the request was parsed and dispatched into the callback business handler instead of being rejected at the auth boundary. NEF container logs (docker logs nef) confirm the callback handler was reached:

[INFO][NEF][TraffInfl] SmfNotification - NotifId[forged-notif]
[INFO][NEF][GIN] | 404 | POST | /nnef-callback/v1/notification/smf

Impact

Missing inbound authentication (CWE-306) and authorization (CWE-862) on the NEF nnef-callback SBI route group. This is the trusted ingestion point for SMF -> NEF notifications. The defect is route-group-scoped: there is no auth middleware on the group at all, so every callback endpoint inside this group inherits the missing inbound auth boundary. Severity is scored against the route group's intended capability surface (consume SMF notifications and mutate NEF / downstream subscription state), NOT against the specific PoC where the chosen NotifId happened to be invalid.

Any party that can reach NEF on the SBI can: - Submit forged SMF callbacks to NEF anonymously, with body content fully controlled by the attacker. - Reach NEF callback business logic without proving producer NF identity, so any attacker who can guess or obtain a valid NotifId can deliver forged event notifications against real subscription state -- corrupting AF traffic-influence / PFD-management subscription views and the downstream SMF/UPF policy decisions that depend on them. - Hit any future callback added behind this same route group anonymously, because the auth boundary does not exist for this group.

The nnef-callback route group is also reachable even when the runtime ServiceList does not declare it, so operators relying on ServiceList to disable the service do not actually get that protection.

Affected: free5gc v4.2.1.

Upstream issue: https://github.com/free5gc/free5gc/issues/860 Upstream fix: https://github.com/free5gc/nef/pull/24

Severity

7.3 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/nef"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T22:46:37Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nfree5GC\u0027s NEF mounts the `nnef-callback` route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. `Authorization: Bearer not-a-real-token`) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid `NotifId`, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime `ServiceList` does not declare it (it lists only `nnef-pfdmanagement` and `nnef-oam`).\n\n### Details\nValidated against the NEF container in the official Docker compose lab.\n- Running Docker image: `free5gc/nef:v4.2.1`\n- Docker validation date: 2026-03-11\n\nNEF advertises `OAuth2 setting receive from NRF: true`, yet the `nnef-callback` route group is mounted with no inbound auth middleware. The API layer reads the raw request body and deserializes it before any auth check, then the processor looks up subscription state by `NotifId`.\n\nCode evidence (paths in `free5gc/nef`):\n- Callback route group mounted without auth middleware: `NFs/nef/internal/sbi/server.go:64`\n- Callback route exposed at `/notification/smf`: `NFs/nef/internal/sbi/api_callback.go:13`\n- API layer reads raw request bytes and deserializes them before any auth check: `NFs/nef/internal/sbi/api_callback.go:23`\n- Processor looks up the subscription by `NotifId`: `NFs/nef/internal/sbi/processor/callback.go:13`\n- NEF context only exposes outbound token acquisition (`GetTokenCtx`); there is no inbound authorization path: `NFs/nef/internal/context/nef_context.go:153`\n- Config validation only allows `nnef-pfdmanagement` and `nnef-oam`: `NFs/nef/pkg/factory/config.go:126`\n\n### PoC\nReproduced against the running NEF at `http://10.100.200.19:8000` using a fabricated bearer token.\n\nSend a forged callback request:\n```\ncurl -i \\\n  -H \u0027Authorization: Bearer not-a-real-token\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data \u0027{\"notifId\":\"forged-notif\",\"eventNotifs\":[]}\u0027 \\\n  http://10.100.200.19:8000/nnef-callback/v1/notification/smf\n```\n\nObserved output:\n```\nHTTP/1.1 404 Not Found\n{\"title\":\"Data not found\",\"status\":404,\"detail\":\"Subscription is not found\"}\n```\n\nThe `404` is positive auth-bypass evidence: the request was parsed and dispatched into the callback business handler instead of being rejected at the auth boundary. NEF container logs (`docker logs nef`) confirm the callback handler was reached:\n```\n[INFO][NEF][TraffInfl] SmfNotification - NotifId[forged-notif]\n[INFO][NEF][GIN] | 404 | POST | /nnef-callback/v1/notification/smf\n```\n\n### Impact\nMissing inbound authentication (CWE-306) and authorization (CWE-862) on the NEF `nnef-callback` SBI route group. This is the trusted ingestion point for SMF -\u003e NEF notifications. The defect is route-group-scoped: there is no auth middleware on the group at all, so every callback endpoint inside this group inherits the missing inbound auth boundary. Severity is scored against the route group\u0027s intended capability surface (consume SMF notifications and mutate NEF / downstream subscription state), NOT against the specific PoC where the chosen `NotifId` happened to be invalid.\n\nAny party that can reach NEF on the SBI can:\n- Submit forged SMF callbacks to NEF anonymously, with body content fully controlled by the attacker.\n- Reach NEF callback business logic without proving producer NF identity, so any attacker who can guess or obtain a valid `NotifId` can deliver forged event notifications against real subscription state -- corrupting AF traffic-influence / PFD-management subscription views and the downstream SMF/UPF policy decisions that depend on them.\n- Hit any future callback added behind this same route group anonymously, because the auth boundary does not exist for this group.\n\nThe `nnef-callback` route group is also reachable even when the runtime `ServiceList` does not declare it, so operators relying on `ServiceList` to disable the service do not actually get that protection.\n\nAffected: free5gc v4.2.1.\n\nUpstream issue: https://github.com/free5gc/free5gc/issues/860\nUpstream fix: https://github.com/free5gc/nef/pull/24",
  "id": "GHSA-wqfh-gq79-j8mf",
  "modified": "2026-05-08T22:46:37Z",
  "published": "2026-05-08T22:46:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-wqfh-gq79-j8mf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/issues/860"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/nef/pull/24"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/free5gc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "free5GC\u0027s NEF nnef-callback route group is unauthenticated; forged callback requests are accepted into the processing path"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44320 (GCVE-0-2026-44320)

FKIE_CVE-2026-44320

GHSA-WQFH-GQ79-J8MF

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature