{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30080", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T20:45:42.267Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-08T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-08T16:04:37.407Z"}, "descriptions": [{"lang": "en", "value": "OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context can lead to the possibility of replay attack."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/78"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-294", "lang": "en", "description": "CWE-294 Authentication Bypass by Capture-replay"}]}], "references": [{"url": "https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/78", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T20:44:07.722198Z", "id": "CVE-2026-30080", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:45:42.267Z"}}]}, "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openairinterface:oai-cn5g-amf:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "1BB4900E-B5A7-40ED-8DA6-4E372D5036D9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context can lead to the possibility of replay attack."}], "id": "CVE-2026-30080", "lastModified": "2026-04-14T15:47:10.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T17:21:18.623", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/78"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/78"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-294"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.2.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "oai-cn5g-amf", "vendor": "openairinterface"}], "analysis": {"en": {"generated_at": "2026-04-14T18:06:21.793094+00:00", "value": {"mitigation_remediation": ["Update to a later OpenAirInterface release that enforces integrity protection on Security Mode Complete", "If an upgrade is not timely, reconfigure the AMF to reject Security Mode Complete messages lacking IA1 or IA2 integrity", "Disable support for IA0 in UE configurations or enforce mandatory integrity in network policy", "Monitor traffic for anomalous Security Mode Complete exchanges and alert on replay patterns"], "summary": {"action": "Patch", "impact": "Replay vulnerability due to lack of integrity protection"}, "threat_synthesis": {"affected_systems": "The affected product is the OpenAirInterface CN5G AMF (oai-cn5g-amf) version 2.2.0, deployed in 5G core networks.", "description_and_impact": "OpenAirInterface v2.2.0 accepts a Security Mode Complete message even when no integrity protection has been negotiated, allowing the security context to be downgraded to IA0. This weakness can be exploited to replay previously recorded registration or control messages, potentially enabling an attacker to re\u2011establish a connection or act as an authorized user. The flaw is a classic integrity bypass that maps to CWE\u2011294, compromising the authenticity and non\u2011repudiation of messages.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.5, indicating a high risk, but the EPSS score is below 1% and it is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. Attackers would need the ability to send crafted Security Mode Complete messages to the AMF, typically from an UE or a compromised device within the same network. If they succeed, they can replay authentication or registration data to force the AMF into an insecure state."}}}}, "created": "2026-04-08T19:44:45.056036+00:00", "updated": "2026-04-15T16:15:11.961024+00:00", "vendors": ["openairinterface", "openairinterface$PRODUCT$oai-cn5g-amf"]}