CVE-2026-44327

CRITICAL 10.0

free5GC: NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler

CVSS Score

10.0

EPSS Score

0.0%

EPSS Percentile

11th

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-oam route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can hit the OAM route with no Authorization header at all and the handler returns 200 OK. The current OAM handler is a stub that returns null, but the structural defect is route-group-scoped: the entire OAM route group has no inbound auth middleware, so every future OAM operation added to this group inherits the missing auth boundary by default. This vulnerability is fixed in 4.2.2.

CWE	CWE-306 CWE-862
Vendor	free5gc
Product	free5gc
Published	May 27, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for free5gc free5gc

Be the first to know when new critical vulnerabilities affecting free5gc free5gc are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

High

Affected Versions

free5gc / free5gc

< 4.2.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/free5gc/free5gc/security/advisories/GHSA-cmpj-2x3g-m7g3 github.com: https://github.com/free5gc/free5gc/issues/861 github.com: https://github.com/free5gc/nef/pull/23