CVE-2026-44330

Name of the Vulnerable Software and Affected Versions free5GC version 4.2.1

Description The Network Exposure Function (NEF) mounts the nnef-pfdmanagement route group without inbound OAuth2 or bearer-token authorization. This allows a network attacker with access to the Service-Based Interface (SBI) to use forged or arbitrary bearer tokens to perform unauthorized actions. Specifically, attackers can read PFD application data via the endpoints "/applications" and "/applications/{appID}", and create or delete PFD change-notification subscriptions using "/subscriptions" and "/subscriptions/{subID}". This occurs because the route group is mounted without the necessary inbound authentication middleware, despite being declared in the runtime ServiceList where operators expect protection via NRF-issued OAuth2.

Recommendations Update free5GC to a version that incorporates the fix from pull request 23 in the NEF repository. As a temporary workaround, restrict network access to the NEF Service-Based Interface (SBI) to ensure only trusted entities can reach the nnef-pfdmanagement endpoints.