HarborGuard / CVE
Back to search
CRITICALCVE-2026-44326Published Modified CNA GitHub_M

CVE-2026-44326: free5GC: NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-traffic-influence API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, patch, and delete traffic-influence subscriptions either with no Authorization header at all, or with a forged bearer token (e.g. Authorization: Bearer not-a-real-token). This includes creating AnyUeInd=true subscriptions intended to affect group / any-UE traffic steering. The route group is also reachable even when the running config's ServiceList does not declare it, so operators who think they disabled the service via config are still exposed. This vulnerability is fixed in 4.2.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authentication bypass vulnerability in free5GC's Network Exposure Function (NEF). The 3gpp-traffic-influence API is mounted without any OAuth2 or bearer-token authorization check, meaning a remote attacker who can reach the NEF Service-Based Interface (SBI) port over the network can call the API with no credentials or with an obviously forged token and be accepted. Successful exploitation lets the attacker read, create, modify, and delete traffic-influence subscriptions, including those that steer traffic for all UEs on the network, and can crash the affected service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream publishes a fix version.

HarborGuard Coverage

Detection

Detection of CVE-2026-44326 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built free5GC images. Coverage extends to any image layer that packages an affected free5GC NEF binary below version 4.2.2.

Available
Triage

Triage is available through HarborGuard's scoring pipeline, which attaches the CVSS v3.1 score of 9.4 (Critical) to every matched finding and applies per-environment compliance policy weighting to set breach thresholds. Routed findings are delivered to the inbox or ticketing integration configured for each customer organization, so the right team receives the alert without manual sorting.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, for customers who opt into compensating-control suggestions, HarborGuard surfaces network-policy isolation recommendations to restrict access to the NEF SBI port to only trusted internal callers.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the NEF Service-Based Interface port over the network; the vulnerable API is exposed as a standard HTTP endpoint with no additional transport barrier.

  • AuthenticationNot required

    No credentials are needed: the API accepts requests with no Authorization header at all, or with an arbitrary forged bearer token value.

  • Victim interactionNot required

    Exploitation is fully server-side; no user action or social engineering is required.

  • Attack complexityDetail

    The exploit is reliable and condition-free, requiring only a reachable NEF port and a valid API request shape; no race conditions or special environmental state apply.

Blast Radius

  • Reads all existing traffic-influence subscriptions, exposing traffic-steering policy details and UE targeting configurations.
  • Creates or modifies subscriptions, including AnyUeInd=true entries that redirect or manipulate traffic for every UE on the network.
  • Deletes traffic-influence subscriptions, silently removing legitimate traffic-steering policies and disrupting network routing behavior.
  • Crashes the NEF service through malformed or resource-exhausting subscription operations, taking the Network Exposure Function offline.

How HarborGuard Handles This

Available on HarborGuard: continuous advisory monitoring for CVE-2026-44326 is active, and the finding is surfaced with a Critical (9.4) severity label against any scanned image packaging an affected free5GC NEF binary. Because no upstream fix exists yet, HarborGuard re-evaluates the advisory on every ingest cycle; a patched-image rebuild will become available automatically once free5GC publishes version 4.2.2 or later. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention. In the meantime, compensating controls available through HarborGuard guidance include applying Kubernetes NetworkPolicy rules to restrict access to the NEF SBI port to explicitly enumerated internal callers, and treating any externally reachable NEF deployment as fully compromised until the patch is in place. Note that the description confirms the route group is reachable even when ServiceList configuration appears to disable it, so configuration-only mitigations are not sufficient.

See how HarborGuard automates this

Metrics

CVSS v3.1
9.4
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • free5gc / free5gc
    < 4.2.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
References