free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-traffic-influence API without inbound OAuth2/bear…

free5GC, an open-source 5G core network implementation, contains an authentication bypass vulnerability in versions prior to 4.2.2. The NEF component exposes the 3gpp-traffic-influence API without proper OAuth2/bearer-token authorization. Network attackers who can reach NEF on the SBI can create, read, patch, and delete traffic-influence subscriptions without authentication or using forged bearer tokens. This includes creating AnyUeInd=true subscriptions that affect group or any-UE traffic steering. The vulnerability persists even when operators believe they have disabled the service via configuration, as the route group remains accessible regardless of ServiceList settings. The issue has been fixed in version 4.2.2.