HIGH 7.3

CVE-2026-10157: Open5GS NGAP Authentication Bypass Vulnerability – 5G Core Network Risk

Open5GS, an open-source 5G core network software stack, contains an authentication bypass vulnerability in its NGAP (NG Application Protocol) PathSwitchRequest message handler. An unauthenticated attacker can exploit this remotely to bypass authentication controls, potentially gaining unauthorized access to 5G network functions. The vulnerability affects Open5GS versions up to 2.7.6 and has been publicly disclosed with exploit code available, elevating the practical risk to deployed systems.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-287
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A vulnerability was identified in Open5GS up to 2.7.6. This impacts an unknown function of the file src/amf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is a188e36b1741ffc2252133f59b1bda4f14d3cb5c. It is suggested to install a patch to address this issue.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in src/amf/ngap-handler.c within the NGAP PathSwitchRequest Message Handler component of Open5GS. It stems from improper authentication logic (CWE-287: Improper Authentication) when processing specific NGAP signaling messages during handover or path-switch scenarios. The flaw permits an attacker to craft a malicious PathSwitchRequest that bypasses authentication verification, allowing unauthorized access to Access and Mobility Management Function (AMF) resources. The attack is network-accessible, requires no credentials or user interaction, and can be executed by an unauthenticated remote actor. A patch is available (commit a188e36b1741ffc2252133f59b1bda4f14d3cb5c).

Business impact

Organizations running Open5GS in production 5G deployments face significant operational and security risk. An attacker exploiting this flaw could intercept, reroute, or hijack 5G traffic, execute man-in-the-middle attacks, or gain unauthorized access to sensitive network functions. For telecom operators or private 5G network administrators, this could lead to service disruption, data theft, regulatory violations, and loss of customer trust. The availability of public exploit code substantially increases the likelihood of opportunistic attacks.

Affected systems

Open5GS versions up to and including 2.7.6 are vulnerable. This includes both community deployments and any production 5G testbeds or private networks built on this codebase. Organizations using newer versions should verify their exact version and patch status. No official vendor advisory with comprehensive product enumeration was provided; operators should cross-reference their deployment inventory against the affected version range.

Exploitability

This vulnerability is highly exploitable in practice. The attack requires no authentication, no user interaction, and is network-accessible from an unauthenticated remote position. The CVSS v3.1 score of 7.3 (HIGH) reflects low attack complexity and broad attack surface. Publicly available exploit code is documented, and no known mitigations or workarounds exist short of patching. Threat actors targeting 5G infrastructure or telecommunications operators are likely already aware and actively testing this flaw.

Remediation

Immediate patching is strongly recommended. Organizations must update Open5GS to a version newer than 2.7.6 that includes the security fix (commit a188e36b1741ffc2252133f59b1bda4f14d3cb5c). For operators unable to patch immediately, network segmentation—isolating the AMF from untrusted networks and enforcing strict firewall rules on NGAP traffic—can reduce but not eliminate risk. Monitoring for anomalous PathSwitchRequest patterns and implementing intrusion detection signatures may provide detection-layer defense while patches are prepared.

Patch guidance

Verify and deploy the patched version of Open5GS that includes commit a188e36b1741ffc2252133f59b1bda4f14d3cb5c. Consult the Open5GS project repository and release notes to identify the corresponding tagged release version. Testing patches in a non-production environment before deployment is essential to confirm compatibility with your specific 5G network configuration. Plan patching during a maintenance window to minimize service disruption, particularly if your network handles active subscribers or critical traffic.

Detection guidance

Monitor NGAP traffic for unusual PathSwitchRequest messages originating from unauthenticated sources or containing malformed authentication fields. Implement deep packet inspection (DPI) rules to detect anomalous NGAP signaling patterns. Log and alert on authentication failures within the AMF component, especially when originating from unexpected network addresses. Correlate NGAP events with Access Point Name (APN) or handover anomalies. Network-based intrusion detection systems (IDS) tuned for 5G protocol violations may also flag exploit attempts.

Why prioritize this

This vulnerability warrants immediate attention due to its combination of high exploitability (unauthenticated, network-accessible, public exploit code available), high severity (authentication bypass in core network), and broad impact on 5G infrastructure. The CVSS score of 7.3 and the absence of the vulnerability from the CISA Known Exploited Vulnerabilities (KEV) catalog does not diminish urgency; the public availability of exploit code makes widespread compromise probable. Organizations running Open5GS in any production or critical role should treat this as a priority-one patch.

Risk score, explained

The CVSS v3.1 score of 7.3 (HIGH) is derived from a network attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), and impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) within the vulnerable component (S:U). This score appropriately reflects a remotely exploitable authentication bypass with no prerequisites. In context, the availability of public exploit code elevates real-world risk beyond the base CVSS score, and operators should apply organizational and environmental scoring adjustments if performing a full CVSS assessment.

Frequently asked questions

Is Open5GS used in commercial telecom networks?

Open5GS is primarily used in research environments, private 5G networks, and non-commercial deployments. However, it serves as a reference implementation for 5G core components and is deployed in some operator labs and test networks. Confirm whether your organization uses Open5GS in production; if so, treat this vulnerability as critical.

What exactly is the PathSwitchRequest message, and why is this handler a target?

PathSwitchRequest is an NGAP message used during 5G handover when a UE (user equipment) switches between base stations while maintaining an active session. The handler processes this signaling message within the AMF. Flaws in authentication at this juncture are critical because attackers can spoof legitimate handover events to bypass security checks and inject unauthorized traffic or reroute calls.

Can this vulnerability be exploited from outside the 5G core network (e.g., from the internet)?

Yes. The CVSS vector (AV:N) confirms network accessibility without the need for physical access or internal network presence. However, exploitation typically requires visibility or routing to the NGAP interface (usually internal to the telecom operator). Operators with proper network segmentation and firewall policies may have reduced exposure, but do not rely on network obscurity as a defense.

Should we rebuild Open5GS from the patched commit, or wait for an official tagged release?

If an official release has been published that includes commit a188e36b1741ffc2252133f59b1bda4f14d3cb5c, use that for stability and support. If only the commit is available, you may rebuild from source, but thoroughly test in a staging environment first. Consult the Open5GS project maintainers or your support channels for guidance on the official release timeline and version number.

This analysis is based on the vulnerability record as of the publication date. Security information is subject to change as additional details emerge or patches are released. Organizations should verify all patch versions, affected product lists, and vendor advisories directly with the Open5GS project maintainers and their own infrastructure teams. SEC.co provides this information for defensive security purposes; unauthorized access to networks or systems remains illegal regardless of vulnerability status. Test all patches in non-production environments before deployment to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).