Description
Open 5GS WebUI uses a hard-coded JWT signing key (change-me) whenever the environment variable JWT_SECRET_KEY is unset
Published: 2026-01-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access or privilege escalation via WebUI authentication
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the Open 5GS WebUI component that falls back to a hard‑coded JWT signing key (“change‑me”) when the environment variable JWT_SECRET_KEY is not set. This flaw allows an attacker to forge valid JSON Web Tokens without needing valid credentials. The attacker can then authenticate as the WebUI administrator and read, modify, or delete network configuration and subscriber data. The weakness is identified as CWE‑798: Hard‑coded cryptographic key, and the impact is a loss of authentication integrity, potentially leading to full control over the 5G core network.

Affected Systems

Affected systems include the Open 5GS WebUI service provided by NewPlane:open5GS. Any deployment of open5GS that does not explicitly define JWT_SECRET_KEY at launch is susceptible. Version information is not specified in the advisory, implying all current releases that use the default hard‑coded key are at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low current probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation is straightforward: an attacker with network access to the WebUI can construct a JWT signed with the known key and gain administrator privileges without needing to bypass any other authentication mechanism. Because the flaw resides in the default key logic, it can be triggered immediately without additional configuration changes on the target system.

Generated by OpenCVE AI on April 18, 2026 at 04:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Set the JWT_SECRET_KEY environment variable to a strong, unique key before starting the open5GS WebUI service to prevent the hard‑coded key from being used
  • Apply the latest kernel or Open 5GS patch that removes the hard‑coded JWT secret key and implements secure key management
  • Restart the Open 5GS WebUI service after applying the variable change or patch to ensure the new configuration takes effect

Generated by OpenCVE AI on April 18, 2026 at 04:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-798
CPEs cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*

Wed, 21 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Open5gs
Open5gs open5gs
Vendors & Products Open5gs
Open5gs open5gs

Tue, 20 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Description Open 5GS WebUI uses a hard-coded JWT signing key (change-me) whenever the environment variable JWT_SECRET_KEY is unset
Title Open 5GS WebUI uses a hard-coded JWT signing key
References

Subscriptions

Open5gs Open5gs
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-01-21T16:47:50.399Z

Reserved: 2026-01-05T20:12:06.482Z

Link: CVE-2026-0622

cve-icon Vulnrichment

Updated: 2026-01-20T20:27:10.033Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T20:16:01.483

Modified: 2026-02-03T21:38:57.637

Link: CVE-2026-0622

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses