Seven CVEs Disclosed in Open5GS 5G Core Software, Public Exploits Available
Seven vulnerabilities, including a high-severity authentication bypass, have been disclosed in the open-source Open5GS 5G Core network software, with public exploits already released for all flaws.
Seven vulnerabilities were disclosed on May 30–31, 2026, targeting Open5GS, the widely used open-source 5G Core network implementation. The batch includes one high-severity improper-authentication bug in the NGAP PathSwitchRequest handler and six medium-severity flaws concentrated in the SBI (Service-Based Interface) library. Public exploits have been released for all seven CVEs, raising the urgency for operators running Open5GS in testbeds or production-like environments.
The most critical finding is CVE-2026-10157 (CVSS 7.3, High), which resides in the NGAP PathSwitchRequest message handler of the Access and Mobility Management Function (AMF). The vulnerability allows improper authentication, meaning an attacker could potentially trigger a path-switch procedure without proper credentials. Because NGAP handles core mobility events between gNBs and the AMF, a successful exploit could lead to session hijacking or traffic misdirection. The exploit is publicly available, and the flaw affects Open5GS up to version 2.7.6.
The remaining six CVEs all land in the SBI layer, specifically in the NRF (Network Repository Function) message parsers that handle NF profile registration and discovery — a critical control-plane pathway in the 5G core. Three of these — CVE-2026-10115, CVE-2026-10113, and CVE-2026-10156 — are denial-of-service bugs in the Shared NF-profile Parser and the handle_amf_info function. All three are remotely triggerable with public exploits, and they can cause resource exhaustion or crash the NRF/AMF processes by sending crafted SBI messages.
CVE-2026-10116 (CVSS 4.3) affects the ue-authentications endpoint via the ogs_sbi_xact_add function in ogs-timer.c, another remotely exploitable DoS triggered by manipulated SBI transactions. CVE-2026-10117 (CVSS 4.3) targets the HTTP/2 server component of the SBI layer in nghttp2-server.c, where a crafted request can exhaust memory pools, leading to denial of service.
CVE-2026-10114 (CVSS 4.3) stands apart from the DoS cluster: it is an out-of-bounds write in the handle_scp_info function of the Shared NF-profile Parser. While scored Medium, out-of-bounds writes in control-plane parsers can sometimes be chained for more severe impact, especially in memory-unsafe C codebases.
At the time of disclosure, the vendor had not yet released a patched version addressing all seven CVEs. The affected range is Open5GS up to 2.7.7 (with CVE-2026-10157 affecting up to 2.7.6). Operators should monitor the Open5GS GitHub repository and the project's release announcements for a fix. Until a patch is available, network segmentation and strict access control to the SBI and N26 interfaces are recommended to limit exposure to remote attackers.
Open5GS is widely used in 5G research labs, private 5G deployments, and as a reference implementation for 3GPP core-network testing. A batch of seven remotely exploitable CVEs — with public exploits — in the AMF and NRF components means that unpatched instances are trivially discoverable and attackable. The concentration of bugs in the SBI/NNRF parser is particularly concerning because the NRF is the central service-discovery hub of the 5G core; a DoS or OOB write there can disrupt the entire control plane. Operators should prioritize patching once a release is available and audit any Open5GS instances exposed to untrusted networks.