HarborGuard / CVE
Back to search
CRITICALCVE-2026-44315Published Modified CNA GitHub_M

CVE-2026-44315: free5GC: NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-pfd-management API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, and delete PFD-management transaction state with a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token). The route group is also reachable even when the running config's ServiceList does not declare it, so operators who think they disabled the service via config are still exposed. This vulnerability is fixed in 4.2.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authentication bypass vulnerability in the free5GC open-source 5G core network implementation, specifically in the NEF (Network Exposure Function) component's 3gpp-pfd-management API. The API is reachable over the network with no valid credentials required; any arbitrary or forged bearer token is accepted, meaning no real authentication barrier exists. A successful attacker can create, read, and delete PFD (Packet Flow Description) transaction state, disrupting network policy enforcement and exposing configuration data. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-44315 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built free5GC images, in registries and CI/CD pipelines. Any image containing a free5GC NEF component at a version earlier than 4.2.2 is flagged automatically.

Available
Triage

Triage is available using the CVSS v3.1 score of 9.4 (CRITICAL), with per-environment compliance policy weighting applied to prioritize the finding appropriately for each customer's context. Routed alerts are directed to the inbox or ticketing integration configured for the affected workload owner inside each customer organization.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a confirmed fix version appears upstream. In the interim, compensating-control recommendations are surfaced in the finding detail to help reduce exposure while the patch is pending.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the NEF Service-Based Interface (SBI) port over the network; no local or physical access is needed.

  • AuthenticationNot required

    No valid credentials are needed; the API accepts any bearer token value, including a fabricated or empty string, so there is no real authentication barrier.

  • Victim interactionNot required

    Exploitation is fully attacker-driven and requires no action from any user or operator.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions, special memory layout, or environmental dependencies are involved.

Blast Radius

  • Reads PFD transaction state, which can expose packet-flow policy configurations intended to be internal to the operator network.
  • Creates arbitrary PFD transactions, injecting forged packet-flow rules that alter how traffic is classified and routed for 5G subscribers.
  • Deletes existing PFD transactions, removing legitimate traffic-steering rules and disrupting application-aware policy enforcement.
  • Crashes or destabilizes the NEF service by flooding or corrupting transaction state, causing denial of service for dependent 5G core functions.

How HarborGuard Handles This

Available on HarborGuard: detection is live for any customer image containing a free5GC NEF component below version 4.2.2, flagged at CRITICAL severity. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment free5GC publishes version 4.2.2 or a confirmed fix. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention. While the patch is pending, the finding detail includes compensating-control guidance: network-policy rules that restrict SBI port access to known internal 5G core peers, egress filtering to prevent lateral use of a compromised NEF, and a note that the vulnerable route group is active even when ServiceList config omits it, so config-based disablement alone is not a reliable mitigation and network-layer isolation is the primary control available today.

See how HarborGuard automates this

Metrics

CVSS v3.1
9.4
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • free5gc / free5gc
    < 4.2.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
References