CVE-2026-0622 identifies a security vulnerability in the open5GS project by NewPlane, specifically in its WebUI component. The issue stems from the use of a hard-coded JWT signing key with the literal value 'change-me' whenever the environment variable JWT_SECRET_KEY is not set. JWT (JSON Web Token) signing keys are crucial for ensuring the authenticity and integrity of tokens used for user authentication and authorization. By relying on a default, hard-coded key, the system exposes itself to token forgery attacks, allowing an attacker to craft valid JWTs without possessing legitimate credentials. This vulnerability is categorized under CWE-798, which addresses the use of hard-coded credentials that are difficult to change and often widely known. The open5GS platform is an open-source implementation of 5G core network functions, widely used for 5G network deployments and testing. The vulnerability affects version 0 of the product, indicating early or initial releases. No CVSS score has been assigned yet, and no known exploits are reported in the wild, but the flaw is inherently serious due to the critical role of JWT keys in securing access. Attackers exploiting this vulnerability could gain unauthorized access to the WebUI, manipulate network configurations, or disrupt 5G network operations. The lack of a patch link suggests that remediation is pending or that users must manually configure the environment variable to mitigate the risk.

For European organizations, this vulnerability poses a significant risk to the security and integrity of 5G network infrastructure. Unauthorized access to the open5GS WebUI could allow attackers to alter network configurations, intercept or redirect traffic, and potentially disrupt critical communication services. Given the increasing reliance on 5G for industrial, governmental, and consumer applications across Europe, exploitation could lead to service outages, data breaches, and compromise of sensitive communications. The impact extends to telecommunications providers, infrastructure vendors, and enterprises deploying private 5G networks. The confidentiality of user data and the integrity of network operations are at risk, potentially affecting national security and economic activities. The absence of known exploits provides a window for proactive mitigation, but the ease of exploitation due to the hard-coded key means attackers with network access could quickly leverage this flaw.

To mitigate CVE-2026-0622, organizations should immediately verify that the JWT_SECRET_KEY environment variable is set to a strong, unique, and unpredictable secret in all open5GS deployments. Automated deployment scripts and configuration management tools must be updated to enforce this setting and prevent fallback to the default hard-coded key. Conduct thorough audits of existing open5GS installations to detect any instances where the default key is still in use. Implement network segmentation and access controls to limit exposure of the WebUI to trusted administrators only. Monitor authentication logs for suspicious token usage patterns that may indicate exploitation attempts. Engage with the NewPlane open5GS community or vendor for patches or updates addressing this vulnerability. Additionally, consider integrating multi-factor authentication for WebUI access to add an extra security layer. Regularly update and patch open5GS components as new versions become available to address this and other vulnerabilities.