CISA advises on Open5GS WebUI default JWT secret

The Open5GS WebUI component, implemented with Node.js and Next.js for managing 5G core configuration and subscriber data, uses default hardcoded secrets for security-sensitive operations including JSON Web Token signing, enabling an attacker with network access to forge authentication tokens and obtain administrative access to the WebUI and its management endpoints.

CVE-2026-0622 documents that the WebUI relies on Node.js process.env variables, including process.env.SECRET_KEY and process.env.JWT_SECRET_KEY, that are initialized by default to the static value “change-me”. The component issues and validates JSON Web Tokens (JWTs) using the default hardcoded secret unless the executing environment explicitly overrides those variables, and the WebUI on startup does not emit warnings or enforce changes to these defaults. The advisory notes the WebUI is commonly deployed containerized or assumed locally exposed.

An unauthenticated network attacker with access to the WebUI can generate forged JWTs using the known default secret and use those tokens to access or modify Representational State Transfer (REST) endpoints under /api/db/*. This allows unauthorized read and write access to sensitive data, including subscriber information and system configuration, and Cross-Site Request Forgery (CSRF) protections do not mitigate requests authenticated with valid forged JWTs. Successful exploitation may result in full access of the WebUI component and all of its permissions.

A patch addressing the issue is available in pull request https://github.com/open5gs/open5gs/pull/4279 against version v2.7.6 released in July 2025; the patch adds a self-contained .env file for the WebUI’s Next.js environment and removes reliance on hardcoded default secret values so each WebUI deployment generates and uses independent, locally scoped cryptographic secrets. Developers integrating or redistributing the WebUI are encouraged to evaluate, validate, and adopt the changes prior to deployment.

Users unable to apply the patch are instructed to manually configure their Node.js environment to define strong, cryptographically secure random values for process.env.SECRET_KEY and process.env.JWT_SECRET_KEY that are unique per deployment and treated as sensitive secrets, and operators are advised to restrict exposure of the WebUI by placing it behind network controls such as authentication gateways or secure content inspection proxies.

Aviz and Endace detail optimized traffic delivery to Always-On Packet Capture

Cohesity introduces Sophos-powered next-generation malware scanning in Cohesity Data Cloud

Rafay Systems and DataDirect Networks collaborate on AI infrastructure