CVE-2026-44320 - free5GC's NEF nnef-callback route group is unauthenticated; forged callback requ
CVE-2026-44320 - free5GC's NEF nnef-callback route group is unauthenticated; forged callback requ
GHSA-wqfh-gq79-j8mf HIGH go/github.com/free5gc/nef
CVE: CVE-2026-44320
Summary
free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid NotifId, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime ServiceList does not declare it (it lists only nnef-pfdmanagement and nnef-oam).
Details
Validated against the NEF container in the official Docker compose lab.
- Running Docker image:
free5gc/nef:v4.2.1 - Docker validation date: 2026-03-11
NEF advertises OAuth2 setting receive from NRF: true, yet the nnef-callback route group is mounted with no inbound auth middleware. The API layer reads the raw request body and deserializes it before any auth check, then the processor looks up subscription state by NotifId.
Code evidence (paths in free5gc/nef):
- Callback route group mounted without auth middleware:
NFs/nef/internal/sbi/server.go:64 - Callback route exposed at
/notification/smf:NFs/nef/internal/sbi/api_callback.go:13 - API layer reads raw request bytes and deserializes them before any auth check:
NFs/nef/internal/sbi/api_callback.go:23 - Processor looks up the subscription by
NotifId:NFs/nef/internal/sbi/processor/callback.go:13 - NEF context only exposes outbound token acquisition (
GetTokenCtx); there is no inbound authorization path:NFs/nef/internal/context/nef_context.go:153 - Config validation only allows
nnef-pfdmanagementandnnef-oam:NFs/nef/pkg/factory/config.go:126
📌 来源: GitHub-Advisory | 🆔 CVE-2026-44320 | 📅 2026-05-08