Free5gc

free5GC's NEF nnef-pfdmanagement API is vulnerable to unauthenticated access, allowing attackers with network access to read PFD data and create/delete PFD subscriptions by using forged bearer tokens due to the absence of inbound OAuth2/bearer-token authorization.

free5GC's Session Management Function (SMF) UPI interface lacks authentication, allowing unauthenticated network attackers to read/write/delete UP-node and link topology data via exposed APIs.

The free5GC NRF's /oauth2/token endpoint is vulnerable to a type confusion vulnerability due to incorrect parsing of form data, leading to a denial-of-service via unauthenticated requests.

A nil pointer dereference vulnerability exists in free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler when UDR access fails, causing a denial-of-service condition.

free5GC's SMF is vulnerable to an unauthenticated denial-of-service attack where a crafted POST request to the `/upi/v1/upNodesLinks` endpoint can trigger a `Fatalf` call, terminating the entire SMF process, effectively disrupting network services.

The free5GC UDM component fails to validate the `supi` path parameter in six GET handlers, allowing an unauthenticated attacker to inject control characters and trigger a `500 Internal Server Error` that exposes internal infrastructure details.

An improper path validation vulnerability exists in the free5gc UDR service, allowing unauthenticated attackers with access to the 5G Service Based Interface (SBI) to read Traffic Influence Subscriptions.

A remote attacker can exploit CVE-2026-30653 in Free5GC v4.2.0 and earlier by sending crafted requests to the AMF component's HandleAuthenticationFailure function, leading to a denial-of-service condition.

free5GC's NEF component is vulnerable to a denial-of-service attack where an attacker can create a PFD subscription with an attacker-controlled `notifyUri`, and when a PFD change is triggered, NEF attempts to deliver a notification to the specified URI, and if the URI is unreachable, NEF terminates the entire process, causing a service outage, and this can be triggered without authentication in version 4.2.1, making it easily exploitable.

free5GC's SMF is vulnerable to an unauthenticated denial-of-service attack where a crafted DELETE request to the /upi/v1/upNodesLinks/{ref} endpoint triggers a nil-pointer dereference, causing a panic and mutating the in-memory user-plane topology, impacting the selection of UPFs for legitimate UE sessions.