CVE-2026-44326

Name of the Vulnerable Software and Affected Versions free5GC versions prior to 4.2.2

Description The Network Exposure Function (NEF) mounts the '3gpp-traffic-influence' API without requiring inbound OAuth2 or bearer-token authorization. A network attacker with access to the NEF on the Service Based Interface (SBI) can perform create, read, patch, and delete operations on traffic-influence subscriptions. This can be achieved by omitting the Authorization header entirely or by using a forged bearer token. This allows for the creation of AnyUeInd=true subscriptions to affect group or any-UE traffic steering. Additionally, the route group remains reachable even if the ServiceList in the running configuration does not declare it, meaning operators cannot disable the service via configuration to mitigate the risk.

Recommendations Update to version 4.2.2.