CVE-2026-0622: Hardcoded Secret Exposes Open5GS 5G Core Networks

A critical security flaw has been uncovered in Open5GS, a popular open-source implementation of 5G core network functions. The vulnerability, tracked as CVE-2026-0622, stems from a classic, yet devastating mistake: the use of default, hardcoded cryptographic secrets that allow attackers to forge administrative keys and seize control of the network management interface.

The flaw specifically targets the optional WebUI component, which administrators use to manage configuration and subscriber data.

The vulnerability lies in how the WebUI handles authentication. Like many modern web applications, it uses JSON Web Tokens (JWTs) to verify user identity and permissions. However, the system was shipped with a fatal default setting.

According to the vulnerability note, “The Open5GS WebUI component contains default hardcoded secrets used for security-sensitive operations, including JSON Web Token (JWT) signing”.

Ideally, these secrets should be randomized during installation. Instead, the developers initialized these critical environment variables to a static, publicly known value: “change-me”.

The report highlights the danger of this configuration: “If these defaults are not changed, an attacker can forge valid authentication tokens and gain administrative access to the WebUI”. Because the “secret” key is known to everyone, anyone can sign their own digital pass to the system.

The impact of this vulnerability is total system compromise for the WebUI. “Successful exploitation may result in full access of the WebUI component and all of its permissions”.

Once an attacker has forged a valid admin token, they can bypass other security controls, such as Cross-Site Request Forgery (CSRF) protections, because the system views them as a legitimate, authenticated administrator.

From there, the attacker has free rein. “This vulnerability allows unauthorized read and write access to sensitive data, including subscriber information and system configuration”. This could allow malicious actors to modify subscriber profiles, disrupt network services, or steal sensitive user data.

The vulnerability was reported by Andrew Fasano from NIST’s Center for AI Standards & Innovation.

A patch has been released against version v2.7.6 (released in July 2025) to address the issue. The fix “introduces the use of a self-contained .env file for the WebUI’s Next.js environment and removes reliance on hardcoded default secret values”.

For administrators unable to apply the patch immediately, the solution is manual configuration. Users are strongly advised to manually define “strong, cryptographically secure random values” for the process.env.SECRET_KEY and process.env.JWT_SECRET_KEY variables to ensure their deployments are unique and secure.

Related Posts:

• AI Interface Hijacked: Open WebUI Exploited for Cryptominers and Stealthy AI Malware
• Open WebUI XSS Flaw (CVE-2025-64495) Risks Admin RCE via Malicious Prompts
• Microsoft Edge Achieves Sub-300ms FCP: Browser UI Now Loads Instantly
• Hacker forged Windows 11 upgrade website to trick users to download the virus