← back
CVE-2026-44315

free5GC: NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions

CVSS 9.4 CRITICALEPSS 0.3%CWE-862
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.4EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
27 May 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-pfd-management API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, and delete PFD-management transaction state with a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token). The route group is also reachable even when the running config's ServiceList does not declare it, so operators who think they disabled the service via config are still exposed. This vulnerability is fixed in 4.2.2.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Affected products
free5gc · free5gc

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/free5gc/free5gc/issues/858https://github.com/free5gc/free5gc/security/advisories/GHSA-5f62-53r8-qrqfhttps://github.com/free5gc/nef/pull/23