CVE-2026-30079
Published: 07 April 2026
Summary
CVE-2026-30079 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Openairinterface Oai-Cn5G-Amf. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the specific flaw in AMF state machine handling of out-of-sequence messages during UE registration to prevent authentication bypass.
Requires validation of protocol message inputs, including sequence order, to block out-of-sequence SecurityModeComplete messages that trigger incorrect state transitions.
Mandates identification and authentication of UEs (devices) before allowing registration, countering the bypass enabled by improper state handling.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote authentication bypass in a network-accessible 5G AMF component (public-facing service) via crafted out-of-sequence messages, directly enabling initial access through exploitation of a public-facing application (T1190).
NVD Description
In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration…
more
accept! This leads the UE to be registered without proper authentication.
Deeper analysisAI
CVE-2026-30079 is a critical vulnerability in the Access and Mobility Management Function (AMF) of OpenAirInterface version 2.2.0. It stems from improper handling of out-of-sequence messages during the User Equipment (UE) registration procedure, causing incorrect state transitions. Specifically, if a SecurityModeComplete message is sent after InitialUERegistration, the AMF issues a registration reject followed by a registration accept, enabling complete bypass of authentication and allowing the UE to register without verification. The issue is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability is exploitable by any network-accessible attacker with low complexity and no required privileges or user interaction. During the UE registration process, an attacker can inject an out-of-sequence SecurityModeComplete message to manipulate the AMF's state machine, tricking it into accepting the registration without performing authentication. Successful exploitation grants unauthorized access to the network as a registered UE, compromising confidentiality, integrity, and availability with high impact.
Mitigation details are available in the upstream issue tracker at https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77, published on 2026-04-07.
Details
- CWE(s)