HarborGuard / CVE
Back to search
HIGHCVE-2026-44320Published Modified CNA GitHub_M

CVE-2026-44320: free5GC: NEF nnef-callback route group is unauthenticated; forged callback requests are accepted into the processing path

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid NotifId, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime ServiceList does not declare it (it lists only nnef-pfdmanagement and nnef-oam). This vulnerability is fixed in 4.2.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authentication bypass vulnerability in the NEF (Network Exposure Function) component of free5GC, an open-source 5G core network implementation. The nnef-callback route group is mounted without any OAuth2 or bearer-token authorization middleware, meaning any request carrying an arbitrary or forged Authorization header bypasses the auth boundary and reaches SMF-callback business logic. An attacker who can guess or obtain a valid NotifId can forge callback requests to read, modify, or disrupt real subscription state. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is published upstream.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built 5G core images that bundle free5GC components. Any image containing an affected version of free5GC prior to 4.2.2 will surface in scan results automatically.

Available
Triage

HarborGuard scores this issue at CVSS 7.3 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and can weight findings against each customer organization's compliance policy to determine urgency and routing. Triage alerts are routed to the appropriate team inbox within each customer environment based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published upstream for this CVE, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment free5GC 4.2.2 or a later fix is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the upstream fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The nnef-callback route group is exposed over the network, so an attacker must be able to send HTTP requests to the NEF service endpoint to reach the vulnerable handler.

  • AuthenticationNot required

    No OAuth2 or bearer-token validation is enforced on the nnef-callback route group, so any request with an arbitrary or forged Authorization header is accepted without credential verification.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends forged callback requests directly to the NEF service.

  • Attack complexityDetail

    Exploitation is reliable and condition-free once the attacker can reach the service; the only attacker-controlled variable is guessing or obtaining a valid NotifId to act on real subscription state.

Blast Radius

  • Reads subscription state associated with valid NotifIds, exposing 5G subscriber session data stored in the NEF processing path.
  • Modifies active subscription state by injecting forged SMF-callback content, altering session or policy records for affected subscribers.
  • Disrupts NEF business logic by replaying or corrupting callback dispatches, degrading service continuity for subscriptions handled by the affected route group.
  • Reaches the vulnerable handler even when the runtime ServiceList does not declare the nnef-callback route, widening the exposed surface beyond what the operator may expect.

How HarborGuard Handles This

Available on HarborGuard: detection for this unauthenticated callback bypass is active across all customer scan environments, covering any image that bundles free5GC components prior to version 4.2.2. Because no upstream fix has been published yet, HarborGuard monitors the advisory on every ingest cycle and will automatically generate a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment free5GC ships a fix. In the interim, compensating controls worth evaluating include network-policy isolation that restricts inbound access to the NEF SBI port to known, authorized NF peers only; egress filtering to limit lateral reach from a compromised callback path; and review of NotifId generation entropy to reduce the feasibility of identifier guessing. These controls do not close the auth bypass but reduce the attacker's ability to reach and act on the vulnerable route group.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.3
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • free5gc / free5gc
    < 4.2.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References