Skip to main content

CVE-2026-30080

| EUVDEUVD-2026-20503 HIGH
Authentication Bypass by Capture-replay (CWE-294)
2026-04-08 mitre GHSA-ppqh-5vmg-4xr4
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 16:31 euvd
EUVD-2026-20503
Analysis Generated
Apr 08, 2026 - 16:31 vuln.today
CVE Published
Apr 08, 2026 - 00:00 nvd
HIGH 7.5

DescriptionCVE.org

OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context can lead to the possibility of replay attack.

AnalysisAI

Integrity protection bypass in OpenAirInterface v2.2.0 allows unauthenticated network attackers to downgrade 5G security context by forcing acceptance of IA0-only capability during initial UE registration, despite NIA1/NIA2 being configured. Exploitation enables replay attacks against mobile network infrastructure through manipulation of Security Mode Complete messages, compromising session integrity without confidentiality impact. No public exploit identified at time of analysis.

Technical ContextAI

CWE-294 capture-replay vulnerability. Core Network AMF component fails to enforce minimum integrity algorithm requirements during NAS security negotiation. Accepts UE security capability containing only null integrity algorithm (IA0), violating 3GPP mandatory integrity protection specifications even when stronger algorithms (NIA1/NIA2) are system-configured.

RemediationAI

Vendor-acknowledged issue tracked in upstream repository; released patched version not independently confirmed at time of analysis. Primary mitigation: monitor GitLab issue tracker at https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/78 for patch release, then upgrade AMF component immediately upon availability. Interim workaround: implement network-layer policy enforcement to reject UE registration attempts presenting security capability lists containing only IA0, mandating minimum NIA1 or NIA2 integrity algorithms at MME/AMF level through configuration hardening. For production 5G Core deployments, consider temporarily restricting untrusted UE connections until patch deployment completes. Consult vendor advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-30080

Share

CVE-2026-30080 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy