Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context can lead to the possibility of replay attack.
AnalysisAI
Integrity protection bypass in OpenAirInterface v2.2.0 allows unauthenticated network attackers to downgrade 5G security context by forcing acceptance of IA0-only capability during initial UE registration, despite NIA1/NIA2 being configured. Exploitation enables replay attacks against mobile network infrastructure through manipulation of Security Mode Complete messages, compromising session integrity without confidentiality impact. No public exploit identified at time of analysis.
Technical ContextAI
CWE-294 capture-replay vulnerability. Core Network AMF component fails to enforce minimum integrity algorithm requirements during NAS security negotiation. Accepts UE security capability containing only null integrity algorithm (IA0), violating 3GPP mandatory integrity protection specifications even when stronger algorithms (NIA1/NIA2) are system-configured.
RemediationAI
Vendor-acknowledged issue tracked in upstream repository; released patched version not independently confirmed at time of analysis. Primary mitigation: monitor GitLab issue tracker at https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/78 for patch release, then upgrade AMF component immediately upon availability. Interim workaround: implement network-layer policy enforcement to reject UE registration attempts presenting security capability lists containing only IA0, mandating minimum NIA1 or NIA2 integrity algorithms at MME/AMF level through configuration hardening. For production 5G Core deployments, consider temporarily restricting untrusted UE connections until patch deployment completes. Consult vendor advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-30080
Same weakness CWE-294 – Authentication Bypass by Capture-replay
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20503
GHSA-ppqh-5vmg-4xr4