HarborGuard / CVE
Back to search
CRITICALCVE-2026-44327Published Modified CNA GitHub_M

CVE-2026-44327: free5GC: NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-oam route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can hit the OAM route with no Authorization header at all and the handler returns 200 OK. The current OAM handler is a stub that returns null, but the structural defect is route-group-scoped: the entire OAM route group has no inbound auth middleware, so every future OAM operation added to this group inherits the missing auth boundary by default. This vulnerability is fixed in 4.2.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authentication bypass in the Network Exposure Function (NEF) component of free5GC, an open-source 5G core network implementation. An attacker who can reach the NEF Service Based Interface (SBI) over the network can send requests to the OAM route group with no Authorization header and receive a valid 200 OK response, because the entire nnef-oam route group is mounted without OAuth2 or bearer-token middleware. Successful exploitation gives an unauthenticated attacker direct access to OAM operations, with the structural defect meaning any future OAM handler added to the group inherits the missing auth boundary by default, enabling data disclosure, data tampering, and service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment the upstream fix is published at version 4.2.2.

HarborGuard Coverage

Detection

Detection for CVE-2026-44327 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle free5GC components. Any image found running a free5GC version prior to 4.2.2 is flagged immediately.

Available
Triage

HarborGuard scores this CVE at CVSS 10.0 Critical and surfaces it at the top of each affected environment's vulnerability queue. Per-environment compliance policy weighting is applied automatically, and the finding is routed to the inbox or ticketing integration configured for the relevant team within each customer org.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at version 4.2.2 the moment the upstream release is confirmed. For customers with auto-remediation enabled, the rebuild, a regression test run, and a pull request against affected workloads will be triggered automatically without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the NEF SBI port over the network; no local or physical access is needed, and no prior foothold is required.

  • AuthenticationNot required

    No Authorization header, bearer token, or OAuth2 credential of any kind is needed; the OAM route group accepts requests with a completely absent auth header.

  • Victim interactionNot required

    Exploitation is fully server-side; no user action, click, or social-engineering step is needed.

  • Attack complexityDetail

    The exploit is reliable and condition-free: sending a plain HTTP request to the OAM route is sufficient, with no race conditions, memory layout dependencies, or environmental prerequisites.

Blast Radius

  • Reads any data returned by current or future OAM handlers, including operational and administrative state exposed over the unauthenticated route group.
  • Modifies network exposure function configuration or operational state via any OAM write handler added to the route group in current or future code.
  • Crashes or degrades NEF availability by invoking OAM operations that affect service state, disrupting 5G core network exposure services for connected consumers.
  • Every new OAM handler merged into the route group inherits the missing auth boundary by default, expanding the attackable surface with each future code change.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-44327 is tracked at Critical severity and matched continuously against images in connected registries and pipelines. Because no upstream patch has been published yet, HarborGuard re-checks the advisory each ingest cycle and will generate a patched-image rebuild at free5GC 4.2.2 the moment the upstream release is confirmed. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a pull request opened against affected workloads. While no patch is available, compensating controls worth considering include network-policy rules that restrict access to the NEF SBI port to known internal SBI peers only, egress filtering to limit lateral movement from a compromised NEF, and feature-flag or deployment-level gating that prevents new OAM route handlers from reaching production until the auth middleware defect is resolved upstream.

See how HarborGuard automates this

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • free5gc / free5gc
    < 4.2.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
References