free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-oam route group without inbound OAuth2/bearer-tok…

free5GC, an open-source 5G core network implementation, contains an authentication bypass vulnerability in versions prior to 4.2.2. The NEF component mounts the nnef-oam route group without OAuth2/bearer-token authorization, allowing network attackers who can reach NEF on the SBI to access OAM routes without any authorization headers. The vulnerability affects the entire OAM route group, meaning all future operations added to this group inherit the missing authentication boundary by default. While the current OAM handler is a stub returning null, the structural defect poses significant security risks. The vulnerability has been fixed in version 4.2.2.