free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/beare…

CVE-2026-44320 affects free5GC, an open-source 5G core network implementation. Prior to version 4.2.2, the NEF component mounts the nnef-callback route group without proper OAuth2/bearer-token authorization. Attackers can use forged bearer tokens to reach the SMF-callback handler and process malicious callbacks. The vulnerability allows bypass of authentication boundaries and manipulation of subscription state if a valid NotifId is obtained. The route group remains accessible even when not declared in the runtime ServiceList. This represents a critical authentication bypass in 5G network infrastructure. The vulnerability has been fixed in version 4.2.2.