Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication.
AnalysisAI
Authentication bypass in OpenAirInterface V2.2.0 Access Management Function (AMF) allows unauthenticated remote attackers to register unauthorized User Equipment (UE) devices on 5G core networks. Exploiting incorrect state machine transitions during UE registration, attackers send SecurityModeComplete messages after InitialUERegistration to trigger registration acceptance without completing proper authentication procedures. This grants full network access to malicious devices, enabling unauthorized subscriber services consumption, interception of traffic, and potential lateral movement within 5G infrastructure. No public exploit identified at time of analysis.
Technical ContextAI
CWE-288 authentication bypass via state machine confusion in AMF registration flow. Out-of-sequence SecurityModeComplete messages exploit logic flaws in state transition validation, causing protocol handler to issue both registration reject and accept responses consecutively. Vulnerable implementations fail to enforce strict ordering of 3GPP TS 23.502 authentication procedures, allowing attackers to skip AKA verification entirely.
RemediationAI
No vendor-released patch identified at time of analysis. Monitor GitLab issue tracker at https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77 for upstream resolution status and commit availability. Until patched version released, implement strict network-level access controls to restrict AMF exposure to authenticated MME/gNodeB entities only. Deploy protocol-aware firewalls enforcing correct 5G NAS message sequencing. Consider temporarily disabling vulnerable AMF instances in production 5G cores, reverting to validated prior releases if available. Consult vendor advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-30079 for updated guidance. Validate all UE registrations through external AUSF/UDM logs to detect bypass attempts.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19642
GHSA-j69j-3gv3-pwvg