Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
FlexRIC v2.0.0 contains an authorization bypass in the iApp's xApp isolation mechanism. The equality function eq_xapp_ric_gen_id() in src/ric/iApp/xapp_ric_id.c compares m0->xapp_id against itself (m0->xapp_id) instead of the other argument (m1->xapp_id), effectively ignoring the xApp identity dimension. A malicious xApp connected to the iApp (port 36422) can delete any other xApp's subscriptions by sending an E42_RIC_SUBSCRIPTION_DELETE_REQUEST with a matching ric_gen_id. This breaks multi-tenant isolation in any deployment with multiple xApps sharing the same RIC.
AnalysisAI
Authorization bypass in FlexRIC v2.0.0 allows a malicious xApp to delete subscriptions belonging to other xApps connected to the same iApp instance, breaking multi-tenant isolation in O-RAN deployments. The root cause is a self-comparison bug in eq_xapp_ric_gen_id() that ignores the xApp identity dimension entirely. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%).
Technical ContextAI
FlexRIC is an open-source Near-Real-Time RAN Intelligent Controller (Near-RT RIC) developed by EURECOM as part of the Mosaic5G project, used in O-RAN research and 5G testbed deployments. The iApp component on TCP port 36422 brokers communication between multiple xApps (extended applications) and enforces isolation between them by xApp identity. The vulnerability is a CWE-617 'Reachable Assertion' / logic error in src/ric/iApp/xapp_ric_id.c where the equality predicate eq_xapp_ric_gen_id() compares m0->xapp_id against itself (m0->xapp_id) rather than against m1->xapp_id, causing the function to treat ric_gen_id collisions across different xApps as identity matches. This effectively removes the xApp dimension from the subscription ownership check, enabling cross-tenant subscription manipulation.
RemediationAI
No vendor-released patch identified at time of analysis; the EURECOM GitLab repository should be monitored for an upstream fix to src/ric/iApp/xapp_ric_id.c that corrects eq_xapp_ric_gen_id() to compare m0->xapp_id against m1->xapp_id. As an interim source-level mitigation, operators building FlexRIC from source can apply a one-line patch to that comparison and rebuild. Compensating controls include restricting TCP port 36422 (iApp) to a trusted management network via host or network firewall rules so that only vetted xApp hosts can connect (trade-off: this is only meaningful in deployments that do not already expose 36422 broadly, and does not protect against a malicious tenant whose xApp is legitimately onboarded), and operationally limiting RIC instances to a single trusted xApp tenant until a patched build is available (trade-off: defeats the multi-tenant use case the RIC is designed for). Review the third-party advisory at https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37233.md for any updated patch guidance.
Same weakness CWE-617 – Reachable Assertion
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today