CVE-2026-44325

Name of the Vulnerable Software and Affected Versions free5GC versions prior to 4.2.2

Description The NRF root SBI endpoint "POST /oauth2/token" contains a parser-level type-confusion bug. The handler in NFs/nrf/internal/sbi/api accesstoken.go uses reflection over models.NrfAccessTokenAccessTokenReq but only special-cases plain string and NrfNfManagementNfType fields, treating all other fields as models.PlmnId. When an attacker provides a field name in the form body that is incompatible with the models.PlmnId type (such as a slice or a different struct), the reflect.Value.Set() function triggers a panic. While the Gin recovery mechanism converts these panics into HTTP 500 errors, the endpoint remains remotely panicable via unauthenticated form-encoded requests. This can be triggered using several parameters, including requesterPlmnList, requesterSnssaiList, requesterSnpnList, targetSnpn, targetSnssaiList, and targetNsiList.

Recommendations Update to version 4.2.2.