CVE-2026-44327: free5GC's NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler

May 8, 2026

free5GC’s NEF mounts the nnef-oam route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can hit the OAM route with no Authorization header at all and the handler returns 200 OK. The current OAM handler is a stub that returns null, but the structural defect is route-group-scoped: the entire OAM route group has no inbound auth middleware, so every future OAM operation added to this group inherits the missing auth boundary by default. Same root cause as the NEF traffic-influence and PFD-management findings.

References

github.com/advisories/GHSA-cmpj-2x3g-m7g3
github.com/free5gc/free5gc
github.com/free5gc/free5gc/issues/861
github.com/free5gc/free5gc/security/advisories/GHSA-cmpj-2x3g-m7g3
github.com/free5gc/nef/pull/23
nvd.nist.gov/vuln/detail/CVE-2026-44327

Code Behaviors & Features

Detect and mitigate CVE-2026-44327 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →