PT-2026-39245 · Free5Gc+1 · Free5Gc+1
Linziyuu
·
Published
2026-05-08
·
Updated
2026-05-27
·
CVE-2026-44315
CVSS v3.1
9.4
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
free5GC versions prior to 4.2.2
Description
The Network Exposure Function (NEF) in free5GC mounts the '3gpp-pfd-management' API without inbound OAuth2 or bearer-token authorization. A network attacker with access to the Service Based Interface (SBI) can use forged or arbitrary bearer tokens to create, read, and delete PFD-management transaction states. This allows for the poisoning of policy state used by the Session Management Function (SMF) and User Plane Function (UPF) for traffic classification, leakage of application function policy data, and denial of service for legitimate application detection rules.
Technical details include:
- API Endpoints: '/3gpp-pfd-management/v1/{scsAsID}/transactions' and '/3gpp-pfd-management/v1/{scsAsID}/transactions/{transID}'
- Vulnerable Parameters:
Authorizationheader - Vulnerable Functions:
PostPFDManagementTransactions(),GetIndividualPFDManagementTransaction(), andDeleteIndividualPFDManagementTransaction()
Additionally, the route group remains reachable even if the
ServiceList in the running configuration does not declare it, meaning the service cannot be disabled via this configuration setting.Recommendations
Update to version 4.2.2.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Free5Gc
Github.Com/Free5Gc/Nef