HarborGuard / CVE
Back to search
CRITICALCVE-2026-44330Published Modified CNA GitHub_M

CVE-2026-44330: free5GC: NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) to read PFD application data via GET /applications and GET /applications/{appID}, and to create or delete PFD change-notification subscriptions via POST /subscriptions and DELETE /subscriptions/{subID}. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. Unlike the OAM and traffic-influence groups, nnef-pfdmanagement IS declared in the runtime ServiceList, so this is the production-intended path that operators expect to be protected by OAuth2 setting receive from NRF: true -- and it is not. This vulnerability is fixed in 4.2.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authentication bypass in the free5GC open-source 5G core network's Network Exposure Function (NEF). The nnef-pfdmanagement API route group is mounted without any OAuth2 or bearer-token validation middleware, meaning any network-reachable attacker can send a forged or arbitrary bearer token and be accepted without challenge. Successful exploitation lets an attacker read Packet Flow Description (PFD) application data and create or delete PFD change-notification subscriptions, disrupting or manipulating how traffic policy is distributed across the 5G core. A patched-image rebuild at version 4.2.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built free5GC images assembled from source. Any image containing a free5GC NEF component at a version below 4.2.2 is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 10.0 Critical and surfaces it with that severity label in each customer's finding dashboard. Per-environment compliance policy weighting can escalate or re-route the alert, for example to a network-infrastructure team inbox rather than a general security queue, based on how each organization has configured their policy rules.

Available
Patch

A patched-image rebuild at free5GC 4.2.2 becomes available on HarborGuard as soon as the fix version is confirmed in the upstream registry. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the NEF Service Based Interface (SBI) over the network; any host with IP connectivity to the NEF endpoint can attempt the attack.

  • AuthenticationNot required

    No valid credentials are needed; the middleware that would validate OAuth2 bearer tokens is absent, so a forged or arbitrary token value is accepted without verification.

  • Victim interactionNot required

    The attack is entirely server-side and requires no action from any user or operator.

  • Attack complexityDetail

    The exploit is reliable and condition-free: sending any HTTP request with an Authorization header to the unprotected route group succeeds unconditionally.

Blast Radius

  • Reads all PFD application records exposed via GET /applications and GET /applications/{appID}, including traffic-descriptor rules operators use to classify subscriber data flows.
  • Creates arbitrary PFD change-notification subscriptions via POST /subscriptions, injecting attacker-controlled callback endpoints into the 5G core notification fabric.
  • Deletes existing PFD subscriptions via DELETE /subscriptions/{subID}, preventing legitimate network functions from receiving policy update notifications and disrupting traffic steering across the core.
  • Because the scope is changed (S:C in the CVSS vector), impact extends beyond the NEF process itself to downstream network functions that consume PFD data.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of advisory ingestion for any image containing a free5GC NEF component below version 4.2.2, including images built from source or assembled as part of a custom 5G core deployment. The finding is scored Critical (CVSS 10.0) and routed according to each customer's compliance policy configuration. A patched-image rebuild at 4.2.2 is available; for customers who opt into auto-remediation, HarborGuard queues a rebuild, runs regression tests against the resulting image, and opens a PR against affected workloads, targeting a median turnaround of roughly 90 minutes for critical-severity findings. Until a rebuild is deployed, compensating controls worth considering include network-policy rules that restrict which internal sources can reach the NEF SBI port, egress filtering to limit which hosts the NEF can notify via subscription callbacks, and audit logging on the SBI ingress to surface anomalous bearer-token values.

See how HarborGuard automates this

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • free5gc / free5gc
    < 4.2.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
References