CVE-2026-44327 CRITICAL

CVE-2026-44327: free5GC: NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler

Vendor Free5Gc
Product free5gc
Weakness CWE-306 · Missing auth
Published May 27, 2026
Last update May 28, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

What the vulnerability does

01Description

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-oam route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can hit the OAM route with no Authorization header at all and the handler returns 200 OK. The current OAM handler is a stub that returns null, but the structural defect is route-group-scoped: the entire OAM route group has no inbound auth middleware, so every future OAM operation added to this group inherits the missing auth boundary by default. This vulnerability is fixed in 4.2.2.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 28, 2026 Record updated