Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-30080

CVE-2026-30080: OpenAirInterface Auth Bypass Vulnerability

CVE-2026-30080 is an authentication bypass flaw in OpenAirInterface v2.2.0 that accepts unprotected Security Mode Complete messages, enabling downgrade attacks. This article covers technical details, security impact, and mitigation.

Published:

CVE-2026-30080 Overview

CVE-2026-30080 is a security mode downgrade vulnerability in OpenAirInterface v2.2.0 that allows attackers to bypass integrity protection mechanisms in 5G network communications. The vulnerability exists because the OpenAirInterface Access and Mobility Management Function (AMF) accepts Security Mode Complete messages without any integrity protection, even when the configuration supports integrity algorithms NIA1 and NIA2.

When a User Equipment (UE) sends an initial registration request with only security capability IA0 (null integrity algorithm), OpenAirInterface accepts and proceeds with the connection instead of rejecting the insecure configuration. This security context downgrade creates conditions favorable for replay attacks against the 5G network infrastructure.

Critical Impact

This vulnerability enables attackers to downgrade 5G security contexts to bypass integrity protection, potentially facilitating replay attacks against telecommunications infrastructure.

Affected Products

  • OpenAirInterface v2.2.0
  • OpenAirInterface CN5G AMF Component

Discovery Timeline

  • April 8, 2026 - CVE-2026-30080 published to NVD
  • April 9, 2026 - Last updated in NVD database

Technical Details for CVE-2026-30080

Vulnerability Analysis

This vulnerability represents a critical weakness in the 5G security negotiation process within OpenAirInterface. The 5G Non-Access Stratum (NAS) security architecture relies on integrity protection algorithms (NIA1, NIA2, NIA3) to ensure message authenticity and prevent tampering. The flaw occurs during the security mode command procedure when the AMF fails to enforce minimum security requirements.

The root issue is classified as CWE-294 (Authentication Bypass by Capture-replay), as the missing integrity protection enables replay attack scenarios. In a properly secured 5G network, the AMF should reject any UE that only advertises IA0 (null integrity) capability when stronger algorithms are configured and required.

Root Cause

The vulnerability stems from insufficient validation of UE security capabilities during the initial registration and security mode command procedures. The OpenAirInterface AMF implementation does not enforce configured integrity protection requirements, allowing the security negotiation to complete even when the UE only offers IA0 (no integrity protection). This permissive behavior contradicts secure 5G deployment practices where integrity protection should be mandatory.

Attack Vector

The attack exploits the network-accessible security negotiation process:

  1. An attacker positions themselves as a rogue UE or intercepts legitimate UE communications
  2. During initial registration, the attacker sends a security capability advertisement containing only IA0 (null integrity)
  3. The vulnerable AMF accepts this downgraded security context despite supporting NIA1/NIA2
  4. With no integrity protection on subsequent NAS messages, the attacker can capture and replay authenticated messages
  5. Replay attacks can be used to impersonate legitimate UEs or disrupt network services

The attack requires network access to the 5G core network and does not require prior authentication or user interaction, making it exploitable remotely.

Detection Methods for CVE-2026-30080

Indicators of Compromise

  • UE registration requests advertising only IA0 security capability when legitimate devices should support NIA1/NIA2
  • Security Mode Complete messages received without integrity protection
  • Unusual patterns of repeated or replayed NAS messages in AMF logs
  • Multiple registration attempts from the same IMSI/SUPI with varying security capabilities

Detection Strategies

  • Monitor AMF logs for security mode procedures completing with IA0 (null integrity) algorithm selection
  • Implement network traffic analysis to detect anomalous 5G NAS signaling patterns
  • Configure alerting on security capability mismatches between expected UE profiles and actual registrations
  • Deploy intrusion detection rules to flag Security Mode Complete messages lacking integrity MAC

Monitoring Recommendations

  • Enable verbose logging on the OpenAirInterface AMF component for security-related events
  • Implement baseline monitoring for typical UE security capability advertisements in your network
  • Monitor for sudden increases in registration failures or security mode procedure anomalies
  • Review AMF configuration periodically to ensure integrity protection enforcement policies are active

How to Mitigate CVE-2026-30080

Immediate Actions Required

  • Review OpenAirInterface AMF configuration to understand current integrity protection settings
  • Monitor the GitLab issue discussion for official patches and updates
  • Implement network-level access controls to restrict unauthorized access to 5G core components
  • Consider deploying additional network monitoring to detect potential exploitation attempts

Patch Information

As of the last update on April 9, 2026, users should monitor the official OpenAirInterface GitLab repository for security patches. The vulnerability has been discussed in GitLab Issue #78 on the OAI CN5G AMF project. Organizations should subscribe to the issue for updates and apply patches as soon as they become available.

Workarounds

  • Configure network policies to reject UE registrations that only advertise IA0 security capability if your infrastructure supports this filtering
  • Implement additional authentication and monitoring layers around the AMF to detect downgrade attempts
  • Consider network segmentation to limit exposure of the 5G core network to untrusted entities
  • Deploy anomaly detection systems capable of identifying replay attack patterns in NAS signaling

Administrators should review their OpenAirInterface deployment configuration and implement strict security capability requirements where possible. The AMF configuration should be reviewed to ensure that minimum acceptable integrity algorithms are enforced, preventing acceptance of null integrity (IA0) registrations.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.