CVE-2026-10157
Improper Authentication in Open5GS NGAP PathSwitchRequest Handler
Publication date: 2026-05-31
Last updated on: 2026-05-31
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Open5GS up to version 2.7.6, specifically in the NGAP PathSwitchRequest Message Handler component. The issue arises because the AMF (Access and Mobility Management Function) fails to properly verify UE (User Equipment) security capabilities received in PathSwitchRequest messages against the locally stored values. Instead, it overwrites the stored security capabilities with potentially incorrect or malicious values sent by a target RAN node.
This improper authentication allows a remote attacker, such as a malicious gNB, to manipulate the UE's security context by sending arbitrary security capabilities. The corrupted security information then propagates to other legitimate network nodes, causing persistent denial-of-service conditions during handover procedures.
The vulnerability is due to missing verification and mismatch detection in the code handling the PathSwitchRequest, which violates security standards and can be exploited remotely. A patch has been released to fix this by adding verification, mismatch detection, logging, and preserving the correct locally stored security capabilities.
How can this vulnerability impact me? :
This vulnerability can lead to improper authentication and manipulation of UE security capabilities within the 5G or 4G core network. An attacker can remotely exploit this flaw to overwrite the legitimate security capabilities with incorrect values.
The impact includes persistent denial-of-service (DoS) for affected user equipment during handover procedures, as corrupted security information causes target network nodes to reject handover requests.
This can disrupt network service availability for users, degrade network reliability, and potentially allow unauthorized manipulation of security parameters, undermining the integrity and confidentiality of communications.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability violates 3GPP security standards, specifically the requirement to verify UE security capabilities during path switch procedures as outlined in 3GPP TS 33.501 Β§6.7.3.1.
Failure to properly authenticate and protect UE security capabilities can lead to unauthorized manipulation of security contexts, which may result in breaches of confidentiality, integrity, and availability of user data.
Such security failures could impact compliance with regulations like GDPR and HIPAA, which mandate protection of personal and sensitive data, as well as ensuring network security to prevent unauthorized access and service disruption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring logs for mismatches between locally stored UE security capabilities and those received in PathSwitchRequest messages. The patched Open5GS implementation logs any detected mismatches with details of stored versus received security capabilities.
To detect exploitation attempts, you should check the AMF logs for entries indicating security capability mismatches during path switch procedures.
Since the vulnerability involves improper overwriting of UE security capabilities in the AMF component, you can look for unusual or repeated PathSwitchRequest messages from gNBs that cause capability mismatches.
Specific commands depend on your logging setup, but generally, you can use commands like:
- grep 'UE security capability mismatch' /var/log/open5gs/amf.log
- tail -f /var/log/open5gs/amf.log | grep PathSwitchRequest
- Use packet capture tools (e.g., tcpdump) to monitor NGAP PathSwitchRequest messages for suspicious or malformed UE security capabilities.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to apply the official patch identified by commit a188e36b1741ffc2252133f59b1bda4f14d3cb5c to your Open5GS deployment.
This patch ensures that the AMF/MME verifies UE security capabilities received in PathSwitchRequest messages against locally stored values, preventing unauthorized overwriting.
Until the patch is applied, consider restricting or monitoring untrusted gNBs that can send PathSwitchRequest messages to the AMF to reduce the risk of exploitation.
Additionally, enable detailed logging on the AMF to detect and respond to any suspicious PathSwitchRequest messages that may indicate an attack attempt.