CVE-2026-8743 Overview
CVE-2026-8743 is an improper authorization vulnerability in Open5GS through version 2.7.6. The flaw resides in the ran_ue_find_by_amf_ue_ngap_id function within src/amf/context.c, part of the Access and Mobility Management Function (AMF) and Mobility Management Entity (MME) components. An authenticated remote attacker can exploit the issue across the network to perform actions outside their authorization scope. The weakness is classified under [CWE-266: Incorrect Privilege Assignment]. A public exploit description exists, and the Open5GS maintainers have published a patch identified by commit hash 5746b8576cfceec18ed87eb7d8cf11b1fb4cd8b1.
Critical Impact
An authenticated remote attacker can bypass authorization checks in the Open5GS AMF/MME context lookup, leading to limited confidentiality, integrity, and availability impact on the 5G/4G core network function.
Affected Products
- Open5GS versions up to and including 2.7.6
- Open5GS AMF (Access and Mobility Management Function) component
- Open5GS MME (Mobility Management Entity) component
Discovery Timeline
- 2026-05-17 - CVE-2026-8743 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-8743
Vulnerability Analysis
The vulnerability affects how Open5GS resolves Radio Access Network (RAN) User Equipment (UE) contexts inside the AMF and MME. The ran_ue_find_by_amf_ue_ngap_id function in src/amf/context.c locates a RAN UE state object by its AMF UE NGAP (Next Generation Application Protocol) identifier. The lookup does not enforce sufficient authorization on the returned context, allowing a caller with low privileges to act on UE state that should be restricted.
Because Open5GS implements core network functions for 4G LTE and 5G deployments, the AMF/MME context store holds subscriber session metadata, NGAP associations, and signaling state. Improper authorization at the lookup layer permits cross-context access to this state. EPSS data reports a probability of 0.039% at the 11.9 percentile, indicating low observed exploitation activity at publication.
Root Cause
The root cause is missing or insufficient authorization validation on the context object returned by ran_ue_find_by_amf_ue_ngap_id. The function returns RAN UE structures based on an identifier match without verifying that the requesting actor or session is permitted to operate on the located UE record. This matches the [CWE-266] pattern of incorrect privilege assignment during privileged object resolution.
Attack Vector
An attacker reaches the vulnerable code path over the network through standard NGAP or S1AP signaling to the AMF or MME. Low-privilege authentication is required, but no user interaction is needed. Successful exploitation produces limited impact on confidentiality, integrity, and availability of the affected core network function. The vulnerability does not propagate outside the affected component scope. Refer to the Open5GS Pull Request #4553 and Open5GS Issue #4498 for the upstream technical discussion.
Detection Methods for CVE-2026-8743
Indicators of Compromise
- Unexpected NGAP or S1AP messages referencing AMF UE NGAP identifiers that do not correspond to legitimate gNB or eNB associations.
- AMF or MME log entries showing RAN UE context lookups followed by state changes on subscribers not bound to the requesting RAN node.
- Subscriber session anomalies such as unexplained context releases, handover failures, or duplicate UE NGAP IDs across associations.
Detection Strategies
- Review Open5GS AMF and MME logs for repeated calls resolving UE contexts that originate from unexpected SCTP associations.
- Correlate NGAP signaling traces with subscriber identifiers (SUPI/IMSI) to detect cross-session activity inconsistent with normal mobility procedures.
- Verify the deployed Open5GS build against commit 5746b8576cfceec18ed87eb7d8cf11b1fb4cd8b1 to confirm patch status.
Monitoring Recommendations
- Ingest AMF, MME, and SCTP-layer logs into a centralized analytics pipeline to baseline normal NGAP/S1AP signaling rates and identifier distributions.
- Alert on authenticated peers issuing context operations targeting UE NGAP IDs outside their association scope.
- Track Open5GS release notes and the Open5GS GitHub repository for follow-up fixes and regression advisories.
How to Mitigate CVE-2026-8743
Immediate Actions Required
- Upgrade Open5GS to a release that includes commit 5746b8576cfceec18ed87eb7d8cf11b1fb4cd8b1, which corrects the authorization logic in ran_ue_find_by_amf_ue_ngap_id.
- Restrict NGAP and S1AP reachability to authorized gNB and eNB peers using network segmentation, SCTP allow-lists, and IPsec where supported.
- Audit existing AMF/MME peer associations and rotate any credentials shared with untrusted or decommissioned RAN nodes.
Patch Information
The Open5GS project addressed the issue in commit 5746b8576cfceec18ed87eb7d8cf11b1fb4cd8b1, merged via Open5GS Pull Request #4553. Operators running Open5GS up to 2.7.6 should rebuild from a source tree that contains this commit or install a vendor-provided package that incorporates it.
Workarounds
- Limit AMF/MME exposure by enforcing strict SCTP peer allow-lists and placing core network functions on isolated signaling VLANs.
- Require mutual authentication and IPsec for N2 and S1-MME interfaces to reduce the population of actors able to reach the vulnerable function.
- Monitor for and terminate anomalous RAN associations until the patched build is deployed.
# Build Open5GS from source with the upstream fix applied
git clone https://github.com/open5gs/open5gs.git
cd open5gs
git fetch origin
git checkout 5746b8576cfceec18ed87eb7d8cf11b1fb4cd8b1
meson build --prefix=`pwd`/install
ninja -C build
ninja -C build install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
