CVE-2026-37233
Description
FlexRIC v2.0.0 authorization bypass allows a malicious xApp to delete other xApps' subscriptions, breaking multi-tenant isolation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FlexRIC v2.0.0 authorization bypass allows a malicious xApp to delete other xApps' subscriptions, breaking multi-tenant isolation.
Vulnerability
FlexRIC v2.0.0 through at least commit 6a595d8b contains an authorization bypass in the iApp's xApp isolation mechanism due to an incorrect comparison in the eq_xapp_ric_gen_id() function within src/ric/iApp/xapp_ric_id.c. This function incorrectly compares m0->xapp_id against itself instead of m1->xapp_id, effectively bypassing the xApp identity check [1].
Exploitation
A malicious xApp connected to the iApp on SCTP port 36422 can send an E42_RIC_SUBSCRIPTION_DELETE_REQUEST message containing a victim xApp's ric_gen_id. Due to the flawed comparison logic, this request can be resolved to delete another xApp's subscriptions, even without proper authorization [1].
Impact
Successful exploitation allows an attacker to delete subscriptions belonging to other xApps. This breaks the multi-tenant isolation in FlexRIC deployments where multiple xApps share the same RIC, potentially leading to service disruption and unauthorized modification of subscription data [1].
Mitigation
No upstream fix was available at the time of publication. Operators are advised to restrict iApp access to trusted xApps. The vulnerability requires a code change to correctly compare both operands' xapp_id fields and verify subscription delete requests [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The equality function eq_xapp_ric_gen_id() incorrectly compares an xApp ID against itself, bypassing authorization checks."
Attack vector
A malicious xApp connected to the iApp's SCTP port 36422 can send an E42_RIC_SUBSCRIPTION_DELETE_REQUEST. This request can include a victim xApp's ric_gen_id. Because the equality check is flawed, the request will be incorrectly processed as if it originated from the victim xApp, allowing the malicious xApp to delete the victim's subscriptions [ref_id=1].
Affected code
The vulnerability lies within the `eq_xapp_ric_gen_id()` function located in `src/ric/iApp/xapp_ric_id.c`. This function is responsible for comparing xApp identifiers. The subscription delete handling path in `src/ric/iApp/msg_handler_iapp.c` utilizes this flawed comparison logic [ref_id=1].
What the fix does
No upstream fix was available at the time of publication. Operators are advised to restrict iApp access to trusted xApps. The recommended mitigation involves ensuring the equality predicate correctly compares both operands' xapp_id fields and that subscription delete requests verify ownership by the request source [ref_id=1].
Preconditions
- networkThe attacker must be able to connect to the iApp's SCTP port 36422.
- inputThe attacker must know the victim xApp's ric_gen_id.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.