CVE-2026-30080
Received Received - Intake
Security Mode Downgrade in OpenAirInterface v2.2.0 Enables Replay Attack

Publication date: 2026-04-08

Last updated on: 2026-04-14

Assigner: MITRE

Description
OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context can lead to the possibility of replay attack.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30080
EUVD
EUVD-2026-20503
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openairinterface oai-cn5g-amf 2.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-294 A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30080 is a security vulnerability in OpenAirInterface (OAI) version 2.2.0's Access and Mobility Management Function (AMF). The AMF improperly accepts a Security Mode Complete message without enforcing integrity protection when a User Equipment (UE) indicates support only for the IA0 integrity algorithm, which means no integrity protection.

Although the AMF is configured to support stronger integrity algorithms (NIA1 and NIA2), it erroneously proceeds with registration requests from UEs that advertise only IA0. This behavior violates the 5G specification, which requires rejecting such requests because IA0 provides no integrity protection.

As a result, the AMF accepts messages with zero Message Authentication Code (MAC) fields and continues the registration process, allowing a downgrade of the security context. This flaw can be exploited to perform replay attacks.

Compliance Impact

The vulnerability in OpenAirInterface v2.2.0 allows acceptance of Security Mode Complete messages without integrity protection, enabling a downgrade to no-integrity (IA0) security context. This behavior violates the 5G security specifications, which mandate rejection of such requests to ensure message integrity.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the acceptance of unprotected messages and potential for replay attacks could lead to unauthorized access or manipulation of user data, which may impact compliance with data protection regulations that require ensuring data integrity and confidentiality.

Therefore, this vulnerability could indirectly affect compliance with common standards and regulations by undermining the security guarantees necessary to protect personal and sensitive data.

Impact Analysis

This vulnerability can impact you by allowing an attacker to downgrade the security context of a 5G registration process to one without integrity protection.

Because the AMF accepts registration requests from UEs that support only the IA0 algorithm (which provides no integrity), an attacker could exploit this to replay previously captured messages.

Replay attacks can lead to unauthorized access, session hijacking, or other malicious activities by reusing valid messages, potentially compromising the security and integrity of the 5G network communications.

Detection Guidance

This vulnerability can be detected by monitoring the Access and Mobility Management Function (AMF) logs for acceptance of Security Mode Complete messages without integrity protection, specifically when the User Equipment (UE) indicates support only for the IA0 integrity algorithm (no integrity).

Detection involves checking if the AMF accepts initial registration requests from UEs that advertise only IA0, despite the AMF configuration supporting only NIA1 and NIA2.

A practical approach is to capture and analyze NGAP and NAS message exchanges, looking for sequences where:

  • InitialUEMessage contains UE Security Capability IE indicating IA0 only (0x70).
  • Security Mode Complete messages are accepted with a zero MAC field (no integrity).
  • Despite the AMF configuration disallowing IA0, the registration proceeds instead of being rejected.

Commands to assist detection could include using packet capture tools (e.g., tcpdump or Wireshark) to filter and inspect NGAP and NAS messages between UE and AMF, for example:

  • tcpdump -i <interface> -w capture.pcap port 38412 # Capture NGAP messages over SCTP
  • Use Wireshark to decode NGAP and NAS messages and check the UE Security Capability IE and MAC fields in Security Mode Complete messages.
Mitigation Strategies

Immediate mitigation involves configuring the AMF to strictly enforce integrity protection by rejecting any initial registration requests from UEs that indicate support only for the IA0 (no integrity) algorithm.

Specifically, the AMF should be updated or configured to:

  • Reject registration requests during the initial Registration Request phase if the UE supports only IA0.
  • Verify the MAC field in Security Mode Complete messages to ensure integrity protection is present and valid.
  • Prevent progression of registration if integrity checks fail or if IA0 is indicated.

If a patch or updated version of OpenAirInterface AMF is available that addresses this issue, applying it promptly is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30080. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart