CVE-2026-44320

Name of the Vulnerable Software and Affected Versions free5GC versions prior to 4.2.2

Description The Network Exposure Function (NEF) in free5GC mounts the 'nnef-callback' route group without inbound OAuth2 or bearer-token authorization. This allows an attacker to reach the SMF-callback handler using a forged or arbitrary bearer token, as the request body is parsed and dispatched into the business logic instead of being rejected at the authentication boundary. The NEF fails to authenticate the producer Network Function (NF) identity before processing callback content. If an attacker obtains or guesses a valid NotifId, they can submit forged callbacks to act on real subscription states, potentially corrupting traffic-influence or PFD-management views and affecting downstream policy decisions. The issue is accessible via the endpoint '/nnef-callback/v1/notification/smf' and remains reachable even if the ServiceList does not declare the route group. The vulnerability involves the NotifId variable and the SmfNotification function.

Recommendations Update to version 4.2.2. As a temporary workaround, restrict network access to the NEF SBI interface to ensure only trusted Network Functions can reach the '/nnef-callback/v1/notification/smf' endpoint.