top of page
perceptive_background_267k.jpg

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/…

Published:

26 mei 2026 om 22:00:00

Alert date:

27 mei 2026 om 18:07:10

Source:

nvd.nist.gov

Click to open the original link from this advisory

Network Infrastructure, Mobile & IoT, Critical Infrastructure

CVE-2026-44330 affects free5GC, an open-source 5G core network implementation. Prior to version 4.2.2, the Network Exposure Function (NEF) mounts the nnef-pfdmanagement route group without proper OAuth2/bearer-token authorization. Network attackers who can reach NEF on the Service Based Interface (SBI) can use forged bearer tokens to read PFD application data and manipulate change-notification subscriptions. The vulnerability stems from missing inbound authentication middleware on the route group. This is a production-intended path that operators expect to be protected by OAuth2 but is not. The issue is fixed in version 4.2.2.

Technical details

Mitigation steps:

Affected products:

free5GC

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-44330
https://github.com/free5gc/free5gc/security/advisories/GHSA-rwww-x45w-p52w

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page