Summary
free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid NotifId, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime ServiceList does not declare it (it lists only nnef-pfdmanagement and nnef-oam).
Details
Validated against the NEF container in the official Docker compose lab.
- Running Docker image:
free5gc/nef:v4.2.1 - Docker validation date: 2026-03-11
NEF advertises OAuth2 setting receive from NRF: true, yet the nnef-callback route group is mounted with no inbound auth middleware. The API layer reads the raw request body and deserializes it before any auth check, then the processor looks up subscription state by NotifId.
Code evidence (paths in free5gc/nef):
- Callback route group mounted without auth middleware:
NFs/nef/internal/sbi/server.go:64 - Callback route exposed at
/notification/smf:NFs/nef/internal/sbi/api_callback.go:13 - API layer reads raw request bytes and deserializes them before any auth check:
NFs/nef/internal/sbi/api_callback.go:23 - Processor looks up the subscription by
NotifId:NFs/nef/internal/sbi/processor/callback.go:13 - NEF context only exposes outbound token acquisition (
GetTokenCtx); there is no inbound authorization path:NFs/nef/internal/context/nef_context.go:153 - Config validation only allows
nnef-pfdmanagementandnnef-oam:NFs/nef/pkg/factory/config.go:126
PoC
Reproduced against the running NEF at http://10.100.200.19:8000 using a fabricated bearer token.
Send a forged callback request:
curl -i \
-H 'Authorization: Bearer not-a-real-token' \
-H 'Content-Type: application/json' \
--data '{"notifId":"forged-notif","eventNotifs":[]}' \
http://10.100.200.19:8000/nnef-callback/v1/notification/smf
Observed output:
HTTP/1.1 404 Not Found
{"title":"Data not found","status":404,"detail":"Subscription is not found"}
The 404 is positive auth-bypass evidence: the request was parsed and dispatched into the callback business handler instead of being rejected at the auth boundary. NEF container logs (docker logs nef) confirm the callback handler was reached:
[INFO][NEF][TraffInfl] SmfNotification - NotifId[forged-notif]
[INFO][NEF][GIN] | 404 | POST | /nnef-callback/v1/notification/smf
Impact
Missing inbound authentication (CWE-306) and authorization (CWE-862) on the NEF nnef-callback SBI route group. This is the trusted ingestion point for SMF -> NEF notifications. The defect is route-group-scoped: there is no auth middleware on the group at all, so every callback endpoint inside this group inherits the missing inbound auth boundary. Severity is scored against the route group's intended capability surface (consume SMF notifications and mutate NEF / downstream subscription state), NOT against the specific PoC where the chosen NotifId happened to be invalid.
Any party that can reach NEF on the SBI can:
- Submit forged SMF callbacks to NEF anonymously, with body content fully controlled by the attacker.
- Reach NEF callback business logic without proving producer NF identity, so any attacker who can guess or obtain a valid
NotifIdcan deliver forged event notifications against real subscription state -- corrupting AF traffic-influence / PFD-management subscription views and the downstream SMF/UPF policy decisions that depend on them. - Hit any future callback added behind this same route group anonymously, because the auth boundary does not exist for this group.
The nnef-callback route group is also reachable even when the runtime ServiceList does not declare it, so operators relying on ServiceList to disable the service do not actually get that protection.
Affected: free5gc v4.2.1.
Upstream issue: https://github.com/free5gc/free5gc/issues/860
Upstream fix: https://github.com/free5gc/nef/pull/24
A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.
CVE-2026-44320 has a CVSS score of 7.3 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
In the interim: Keep the dependency up to date. Add authentication gating to all sensitive endpoints.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-44320? CVE-2026-44320 is a high-severity missing authentication for critical function vulnerability in github.com/free5gc/nef (go), affecting versions <= 1.2.3. No fixed version is listed yet. A critical operation is accessible without requiring any authentication.
- How severe is CVE-2026-44320? CVE-2026-44320 has a CVSS score of 7.3 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/free5gc/nef are affected by CVE-2026-44320? github.com/free5gc/nef (go) versions <= 1.2.3 is affected.
- Is there a fix for CVE-2026-44320? No fixed version is listed for CVE-2026-44320 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-44320 exploitable, and should I be worried? Whether CVE-2026-44320 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-44320 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-44320? No fixed version is listed yet. In the interim: Keep the dependency up to date. Add authentication gating to all sensitive endpoints.