Description
FlexRIC v2.0.0 contains an authorization bypass in the iApp's xApp isolation mechanism. The equality function eq_xapp_ric_gen_id() in src/ric/iApp/xapp_ric_id.c compares m0->xapp_id against itself (m0->xapp_id) instead of the other argument (m1->xapp_id), effectively ignoring the xApp identity dimension. A malicious xApp connected to the iApp (port 36422) can delete any other xApp's subscriptions by sending an E42_RIC_SUBSCRIPTION_DELETE_REQUEST with a matching ric_gen_id. This breaks multi-tenant isolation in any deployment with multiple xApps sharing the same RIC.
Published: 2026-06-01
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FlexRIC v2.0.0 contains an authorization bypass in the iApp’s xApp isolation mechanism. The function that should compare two xApp IDs instead compares one ID against itself, effectively ignoring the identity dimension of the target xApp. As a result, an attacker can delete any other xApp’s subscriptions by issuing a delete request that appears to originate from a permitted xApp. This flaw undermines multi‑tenant isolation and allows a malicious xApp to tamper with the resources of all other xApps sharing the same RIC, leading to integrity loss and potential service disruption.

Affected Systems

The vulnerability applies to FlexRIC version 2.0.0. Only deployments where multiple xApps share the same controller (iApp) are affected. No other vendors or product versions are known to be impacted.

Risk and Exploitability

The EPSS score is < 1%, indicating a low but non‑zero likelihood of exploitation, and the CVSS score of 7.5 reflects a high‑medium severity. The vulnerability is not listed in CISA’s KEV catalog, so no known widespread exploitation reports. The flaw permits a malicious actor to connect to the iApp on port 36422 and send a crafted delete request, bypassing intended access controls. Based on the description, the likely attack vector is a malicious xApp that is allowed to communicate with the iApp; once connected, it can exploit the bug without further privileges. The impact is severe because it allows deletion of shared subscriptions, breaking the isolation guarantees of multi‑tenant deployments.

Generated by OpenCVE AI on June 2, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of FlexRIC that corrects the comparison logic in eq_xapp_ric_gen_id
  • Restrict network access to port 36422 so that only trusted xApps can connect, or use firewall rules to isolate the iApp from untrusted hosts
  • Implement monitoring or logging to detect and alert on unexpected RIC_SUBSCRIPTION_DELETE_REQUEST messages targeting xApps not owned by the sender

Generated by OpenCVE AI on June 2, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mosaic5g:flexric:2.0.0:*:*:*:*:*:*:*

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Title Authorization Bypass in FlexRIC v2.0.0 Enables Deletion of Other xApp Subscriptions
First Time appeared Mosaic5g
Mosaic5g flexric
Vendors & Products Mosaic5g
Mosaic5g flexric

Tue, 02 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Authorization Bypass Allows xApp to Delete Other xApp Subscriptions in FlexRIC
Weaknesses CWE-284

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-617
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Authorization Bypass Allows xApp to Delete Other xApp Subscriptions in FlexRIC
Weaknesses CWE-284

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description FlexRIC v2.0.0 contains an authorization bypass in the iApp's xApp isolation mechanism. The equality function eq_xapp_ric_gen_id() in src/ric/iApp/xapp_ric_id.c compares m0->xapp_id against itself (m0->xapp_id) instead of the other argument (m1->xapp_id), effectively ignoring the xApp identity dimension. A malicious xApp connected to the iApp (port 36422) can delete any other xApp's subscriptions by sending an E42_RIC_SUBSCRIPTION_DELETE_REQUEST with a matching ric_gen_id. This breaks multi-tenant isolation in any deployment with multiple xApps sharing the same RIC.
References

Subscriptions

Mosaic5g Flexric
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-02T15:29:56.809Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37233

cve-icon Vulnrichment

Updated: 2026-06-02T15:29:50.619Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T19:16:33.743

Modified: 2026-06-03T17:16:08.960

Link: CVE-2026-37233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:55:16Z

Weaknesses