free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-traffic-influence API without inbound OAuth2/bear…

free5GC, an open-source 5G core network implementation, contains an authorization bypass vulnerability in versions prior to 4.2.2. The NEF (Network Exposure Function) component mounts the 3gpp-traffic-influence API without proper OAuth2/bearer-token authorization. Network attackers who can reach the NEF on the SBI can perform unauthorized operations including creating, reading, patching, and deleting traffic-influence subscriptions. The vulnerability allows attackers to use forged bearer tokens or no authorization header at all. Even operators who believe they have disabled the service via configuration remain exposed. The issue is fixed in version 4.2.2.