Open5GS AMF Flaw CVE-2026-8743 Enables Remote Authorization Bypass

Executive Summary

A medium-severity authorization bypass vulnerability, tracked as CVE-2026-8743 (CVSS 6.5), has been disclosed in Open5GS, an open-source 5G Core (5GC) and Evolved Packet Core (EPC) implementation. The flaw resides in the AMF/MME component's ran_ue_find_by_amf_ue_ngap_id function within src/amf/context.c. An attacker can exploit this remotely to bypass authorization checks, potentially gaining unauthorized access to subscriber session context data. Exploit code has been publicly released, increasing the risk of active exploitation. The project maintainers have issued a patch via commit 5746b8576cfceec18ed87eb7d8cf11b1fb4cd8b1. Operators running Open5GS versions up to and including 2.7.6 should apply the fix immediately.

Technical Analysis

According to the National Vulnerability Database (NVD) entry and the Open5GS GitHub repository, the vulnerability affects the Access and Mobility Management Function (AMF) and Mobility Management Entity (MME) components. The specific function ran_ue_find_by_amf_ue_ngap_id is responsible for looking up a User Equipment (UE) context based on the AMF UE NGAP ID — a unique identifier assigned during the NG Application Protocol (NGAP) association between a gNodeB and the AMF.

The flaw stems from improper authorization validation within this lookup routine. An attacker who can craft or manipulate NGAP messages (which is feasible from a compromised gNodeB or via a rogue radio access network node) can trigger the function with a forged or out-of-context AMF UE NGAP ID. This can cause the AMF to return a UE context object that the requesting entity should not have access to, effectively bypassing access controls.

The vulnerability is remotely exploitable over the network, requiring no authentication. The CVSS v3.1 base score of 6.5 reflects a medium severity, with the vector string indicating network attack vector, low attack complexity, no privileges required, and user interaction not required. The primary impact is on confidentiality — an attacker could read sensitive subscriber context data — though the integrity and availability impacts are rated as none.

The exploit has been made public, as noted in the NVD entry. While the exact exploit details are not reproduced here, the public availability of proof-of-concept code lowers the barrier for adversaries. The Open5GS project has addressed the issue in commit 5746b8576cfceec18ed87eb7d8cf11b1fb4cd8b1, which introduces proper authorization checks in the affected function. The fix is included in versions after 2.7.6.

Open5GS is widely deployed in research labs, private 5G networks, and by mobile network operators for testing and production purposes. The AMF is a critical component in the 5G core, handling registration, connection management, and mobility. A compromise of the AMF could lead to broader network intrusion, subscriber data exposure, and potential lateral movement within the core network.

Mitigations & Recommendations

Operators should immediately upgrade Open5GS to a version that includes commit 5746b8576cfceec18ed87eb7d8cf11b1fb4cd8b1 or later. The current stable release branch should be updated from the project's GitHub repository. For those unable to patch immediately, network segmentation is critical: restrict N2/N26 interface access to only trusted gNodeBs and MMEs. Monitor AMF logs for anomalous NGAP message patterns, particularly repeated failed lookups or requests for UE contexts from unexpected sources. Given the public exploit, assume active scanning for vulnerable instances has begun.