CWE-862

An unauthenticated remote attacker can leverage a missing authorization vulnerability (CWE-862) in the Pipecat development runner's `/ws` WebSocket endpoint to supply a crafted `callSid` in a handshake message, compelling the server to use its configured Twilio, Telnyx, or Plivo credentials to issue authenticated API requests that terminate active calls, resulting in denial of service and credential abuse.

free5GC NEF v4.2.1 exposes an unauthenticated callback route group, enabling attackers to forge SMF callbacks and potentially corrupt AF traffic-influence or PFD-management subscription views, leading to unauthorized policy changes.