Which versions of Open5gs are affected by CVE-2026-10157?

Open5GS versions up to 2.7.6 contain an authentication bypass in the 5G core network's AMF component that could allow remote attackers to manipulate UE security capabilities and gain unauthorized…. A patch is available.

Is there a public PoC exploit available for CVE-2026-10157?

Yes, a public proof-of-concept exploit is available for CVE-2026-10157. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-10157?

24 hours: Inventory all Open5GS deployments and identify systems running versions 2.7.6 or earlier. 7 days: Obtain patched Open5GS version from vendor advisory, test thoroughly in staging environment, then deploy to all affected production instances. 30 days: Verify patch deployment across all systems, validate NGAP message handling per 3GPP TS 33.501, and establish monitoring for anomalous path switch request behavior.

Open5gs CVE-2026-10157

Q: What is the CVSS score of CVE-2026-10157?

CVE-2026-10157 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-33476 MEDIUM

Improper Authentication (CWE-287)

2026-05-31 VulDB

GHSA-89hg-mhjp-f99q

Authentication Bypass Open5gs

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

May 31, 2026 - 02:22 NVD

HIGH MEDIUM

CVSS changed

May 31, 2026 - 02:22 NVD

7.3 (HIGH) 5.5 (MEDIUM)

Source Code Evidence Fetched

May 31, 2026 - 01:41 vuln.today

Analysis Generated

May 31, 2026 - 01:41 vuln.today

DescriptionCVE.org

A vulnerability was identified in Open5GS up to 2.7.6. This impacts an unknown function of the file src/amf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is a188e36b1741ffc2252133f59b1bda4f14d3cb5c. It is suggested to install a patch to address this issue.

AnalysisAI

Authentication bypass in Open5GS versions up to 2.7.6 allows remote attackers to manipulate UE security capabilities through the AMF's NGAP PathSwitchRequest message handler in src/amf/ngap-handler.c. The flaw stems from the AMF blindly overwriting locally stored UE 5G security capabilities with values received from a target gNB during a path switch, violating 3GPP TS 33.501 6.7.3.1, and publicly available exploit code exists though no public exploit identified as actively exploited at time of analysis.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Recommended ActionAI

24 hours: Inventory all Open5GS deployments and identify systems running versions 2.7.6 or earlier. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-10157 vulnerability details – vuln.today

Back