Skip to main content

EUVDEUVD-2026-19642

| CVE-2026-30079 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-04-07 mitre GHSA-j69j-3gv3-pwvg
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 15:00 euvd
EUVD-2026-19642
Analysis Generated
Apr 07, 2026 - 15:00 vuln.today
CVE Published
Apr 07, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication.

AnalysisAI

Authentication bypass in OpenAirInterface V2.2.0 Access Management Function (AMF) allows unauthenticated remote attackers to register unauthorized User Equipment (UE) devices on 5G core networks. Exploiting incorrect state machine transitions during UE registration, attackers send SecurityModeComplete messages after InitialUERegistration to trigger registration acceptance without completing proper authentication procedures. This grants full network access to malicious devices, enabling unauthorized subscriber services consumption, interception of traffic, and potential lateral movement within 5G infrastructure. No public exploit identified at time of analysis.

Technical ContextAI

CWE-288 authentication bypass via state machine confusion in AMF registration flow. Out-of-sequence SecurityModeComplete messages exploit logic flaws in state transition validation, causing protocol handler to issue both registration reject and accept responses consecutively. Vulnerable implementations fail to enforce strict ordering of 3GPP TS 23.502 authentication procedures, allowing attackers to skip AKA verification entirely.

RemediationAI

No vendor-released patch identified at time of analysis. Monitor GitLab issue tracker at https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77 for upstream resolution status and commit availability. Until patched version released, implement strict network-level access controls to restrict AMF exposure to authenticated MME/gNodeB entities only. Deploy protocol-aware firewalls enforcing correct 5G NAS message sequencing. Consider temporarily disabling vulnerable AMF instances in production 5G cores, reverting to validated prior releases if available. Consult vendor advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-30079 for updated guidance. Validate all UE registrations through external AUSF/UDM logs to detect bypass attempts.

Share

EUVD-2026-19642 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy