Cyber Posture

CVE-2026-30080

HighPublic PoC

Published: 08 April 2026

Published
08 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0003 10.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30080 is a high-severity Authentication Bypass by Capture-replay (CWE-294) vulnerability in Openairinterface Oai-Cn5G-Amf. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-23 (Session Authenticity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the specific flaw in OpenAirInterface AMF that accepts IA0 security capability and downgrades to no integrity protection, preventing replay attacks.

SC-13 Cryptographic Protection good match
prevent

Mandates cryptographic mechanisms including integrity protection for communications, ensuring Security Mode Complete messages are not accepted without integrity and blocking replay exploitation.

SC-23 Session Authenticity good match
prevent

Requires replay-resistant session authentication, directly countering replay attacks enabled by the downgraded security context lacking integrity protection.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
attack.mitre.org →
T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Vulnerability in publicly accessible AMF enables remote unauthenticated exploitation (T1190); lack of integrity protection directly facilitates MitM-style replay of signaling (T1557) and manipulation of transmitted messages (T1565.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context can lead…

more

to the possibility of replay attack.

Deeper analysisAI

CVE-2026-30080 is a vulnerability in OpenAirInterface version 2.2.0, specifically within the CN5G AMF (Access and Mobility Management Function) component. The issue arises because the software accepts a Security Mode Complete message without any integrity protection, even though its configuration supports integrity algorithms NIA1 and NIA2. If a UE (User Equipment) sends an initial registration request advertising only the IA0 security capability (indicating no integrity), OpenAirInterface accepts it and proceeds, establishing a downgraded security context. This flaw is classified under CWE-294 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

An unauthenticated remote attacker can exploit this vulnerability by impersonating a UE and transmitting an initial registration request limited to IA0 integrity capability. With network accessibility, low attack complexity, and no required privileges or user interaction, the attacker tricks the AMF into activating a security context devoid of integrity protection. This enables replay attacks, where malicious messages can be captured and resent, resulting in high integrity impacts such as unauthorized modifications or repetitions of critical signaling messages.

The vulnerability is tracked in a GitLab issue for the oai-cn5g-amf repository at https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/78, where security practitioners can review details on potential mitigations, patches, or workarounds.

Details

CWE(s)
CWE-294

Affected Products

openairinterface
oai-cn5g-amf
2.2.0

CVEs Like This One

CVE-2026-30079Same product: Openairinterface Oai-Cn5G-Amf
CVE-2025-66786Same product: Openairinterface Oai-Cn5G-Amf
CVE-2025-65805Same product: Openairinterface Oai-Cn5G-Amf
CVE-2026-30078Same product: Openairinterface Oai-Cn5G-Amf
CVE-2026-30075Same product: Openairinterface Oai-Cn5G-Amf
CVE-2026-30077Same vendor: Openairinterface
CVE-2025-67135Shared CWE-294
CVE-2025-26201Shared CWE-294
CVE-2025-59023Shared CWE-294
CVE-2026-20999Shared CWE-294

References