{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44330/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["nef (\u003c= 1.2.3)"],"_cs_severities":["critical"],"_cs_tags":["free5GC","NEF","unauthenticated access","CVE-2026-44330","PFD management","network security"],"_cs_type":"advisory","_cs_vendors":["free5GC"],"content_html":"\u003cp\u003eThe free5GC Network Exposure Function (NEF) is vulnerable to an unauthenticated access issue within the \u003ccode\u003ennef-pfdmanagement\u003c/code\u003e API. The vulnerability, present in versions up to v4.2.1, stems from a missing inbound OAuth2/bearer-token authorization check on the \u003ccode\u003ennef-pfdmanagement\u003c/code\u003e route group. This oversight allows any network attacker capable of reaching the NEF on the SBI (Service Based Interface) to bypass authentication using forged bearer tokens. The \u003ccode\u003ennef-pfdmanagement\u003c/code\u003e API is intended for production use, as it is declared in the runtime \u003ccode\u003eServiceList\u003c/code\u003e and should be protected by OAuth2 authentication. This vulnerability allows attackers to read PFD application data and manipulate PFD change-notification subscriptions without proper authorization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains network access to the free5GC NEF SBI (Service Based Interface), typically running on port 8000.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET request to the \u003ccode\u003e/nnef-pfdmanagement/v1/applications\u003c/code\u003e endpoint, including a forged or arbitrary bearer token in the \u003ccode\u003eAuthorization\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eNEF processes the request without proper authentication, querying the UDR (Unified Data Repository) for PFD data.\u003c/li\u003e\n\u003cli\u003eNEF returns the PFD application data to the attacker, exposing sensitive traffic-classification policies.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request to the \u003ccode\u003e/nnef-pfdmanagement/v1/subscriptions\u003c/code\u003e endpoint with a forged bearer token, including a \u003ccode\u003enotifyUri\u003c/code\u003e pointing to an attacker-controlled endpoint.\u003c/li\u003e\n\u003cli\u003eNEF creates the PFD subscription, directing change notifications to the attacker\u0026rsquo;s \u003ccode\u003enotifyUri\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP DELETE request to \u003ccode\u003e/nnef-pfdmanagement/v1/subscriptions/{subID}\u003c/code\u003e with a forged bearer token, targeting a legitimate subscription.\u003c/li\u003e\n\u003cli\u003eNEF deletes the targeted PFD subscription, disrupting legitimate change notifications.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe unauthenticated access vulnerability in free5GC\u0026rsquo;s NEF v4.2.1 allows attackers to read AF-supplied PFD application data, create attacker-controlled PFD change-notification subscriptions, and delete legitimate PFD subscriptions. Successful exploitation can lead to the leakage of traffic-classification policies, turning NEF into an unauthenticated outbound HTTP request source, and disrupting legitimate PFD-update propagation. This vulnerability affects the intended production path for PFD services, posing a critical risk to 5G network operators.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Forged Token Access to free5GC NEF PFD Data\u003c/code\u003e to detect unauthorized attempts to access PFD data via the \u003ccode\u003ennef-pfdmanagement\u003c/code\u003e API.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Forged Token Subscription Manipulation in free5GC NEF\u003c/code\u003e to detect unauthorized attempts to create or delete PFD subscriptions via the \u003ccode\u003ennef-pfdmanagement\u003c/code\u003e API.\u003c/li\u003e\n\u003cli\u003eApply the patch or upgrade to a fixed version of free5GC NEF that addresses CVE-2026-44330.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic to the NEF SBI (IP address \u003ccode\u003e10.100.200.19\u003c/code\u003e) for suspicious activity related to the \u003ccode\u003e/nnef-pfdmanagement/v1/\u003c/code\u003e endpoints listed in the IOC table.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-09T14:30:00Z","date_published":"2026-05-09T14:30:00Z","id":"/briefs/2026-05-free5gc-nef-auth-bypass/","summary":"free5GC's NEF nnef-pfdmanagement API is vulnerable to unauthenticated access, allowing attackers with network access to read PFD data and create/delete PFD subscriptions by using forged bearer tokens due to the absence of inbound OAuth2/bearer-token authorization.","title":"free5GC NEF nnef-pfdmanagement API Unauthenticated Access Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-free5gc-nef-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-44330","version":"https://jsonfeed.org/version/1.1"}