CVE-2026-44330 - free5GC's NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens ca
CVE-2026-44330 - free5GC's NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens ca
GHSA-rwww-x45w-p52w CRITICAL go/github.com/free5gc/nef
CVE: CVE-2026-44330
Summary
free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) to read PFD application data via GET /applications and GET /applications/{appID}, and to create or delete PFD change-notification subscriptions via POST /subscriptions and DELETE /subscriptions/{subID}. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. Unlike the OAM and traffic-influence groups, nnef-pfdmanagement IS declared in the runtime ServiceList, so this is the production-intended path that operators expect to be protected by OAuth2 setting receive from NRF: true -- and it is not.
Details
Validated against the NEF container in the official Docker compose lab.
- Source repo tag:
v4.2.1 - Running Docker image:
free5gc/nef:v4.2.0 - Runtime NEF commit:
5ce35eab - Docker validation date: 2026-03-11
NEF advertises OAuth2 setting receive from NRF: true, but the entire nnef-pfdmanagement route group is mounted with no inbound auth middleware, so forged-token requests reach the read and subscription handlers and execute against UDR-backed state.
Code evidence (paths in free5gc/nef):
- Route group mounted without auth middleware:
NFs/nef/internal/sbi/server.go:56 - Read routes exposed at
/applicationsand/applications/:appID:NFs/nef/internal/sbi/api_pfdf.go:13 - Subscription routes exposed at
/subscriptionsand/subscriptions/:subID:NFs/nef/internal/sbi/api_pfdf.go:13 GET /applicationsqueries UDR for application PFD data:NFs/nef/internal/sbi/processor/pfdf.go:19GET /applications/:appIDqueries UDR for an application PFD:NFs/nef/internal/sbi/processor/pfdf.go:53POST /subscriptionsonly checksnotifyUriis present, then stores the subscription: `NFs/nef/internal/sbi/processor/pfdf.go
📌 来源: GitHub-Advisory | 🆔 CVE-2026-44330 | 📅 2026-05-08