free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-pfd-management API without inbound OAuth2/bearer-…

free5GC, an open-source 5G core network implementation, contains a critical authorization bypass vulnerability in versions prior to 4.2.2. The Network Exposure Function (NEF) component mounts the 3gpp-pfd-management API without proper OAuth2/bearer-token authorization checks. Network attackers who can reach the NEF on the Service Based Interface (SBI) can forge arbitrary bearer tokens to create, read, and delete PFD-management transaction state. The vulnerability is particularly dangerous as the affected API route remains accessible even when operators believe they have disabled it through configuration settings. This creates a false sense of security for administrators who think the service is protected. The issue affects the core 5G network infrastructure and has been fixed in version 4.2.2.