CVE-2026-44475
Ella Core: UE Security Capability bypass on NGAP PathSwitchRequest
CVSS Score
6.1
EPSS Score
0.0%
EPSS Percentile
4th
Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest. This vulnerability is fixed in 1.10.0.
| CWE | CWE-358 |
| Vendor | ellanetworks |
| Product | core |
| Published | May 27, 2026 |
| Last Updated | May 28, 2026 |
Stay Ahead of the Next One
Get instant alerts for ellanetworks core
Be the first to know when new medium vulnerabilities affecting ellanetworks core are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low
Affected Versions
ellanetworks / core
< 1.10.0