{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30079", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T13:47:21.689Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-07T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T14:29:16.535Z"}, "descriptions": [{"lang": "en", "value": "In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-288", "lang": "en", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T13:45:56.182698Z", "id": "CVE-2026-30079", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:47:21.689Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30079", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T13:45:56.182698Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:47:15.329Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77"}], "descriptions": [{"lang": "en", "value": "In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T14:29:16.535Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30079", "state": "PUBLISHED", "dateUpdated": "2026-04-09T13:47:21.689Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-07T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication."}], "id": "CVE-2026-30079", "lastModified": "2026-04-09T14:16:30.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T15:17:38.267", "references": [{"source": "cve@mitre.org", "url": "https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.2.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "oai-cn5g-amf", "vendor": "openairinterface"}], "analysis": {"en": {"generated_at": "2026-04-07T20:15:11.512163+00:00", "value": {"mitigation_remediation": ["Check for an official patch or update to OpenAirInterface AMF v2.2.0 and apply it immediately.", "If a patch is not available, enable strict state validation on the AMF to reject out\u2011of\u2011sequence SecurityModeComplete messages and monitor logs for abnormal registration acceptance patterns.", "Consider temporarily limiting the acceptance of SecurityModeComplete messages to authenticated sessions only.", "Consult the OAI/Eurecom community for any proposed workarounds or configuration adjustments."], "summary": {"action": "Apply Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The affected software is the OpenAirInterface 5G core network component AMF (Access and Mobility Management Function) running version 2.2.0. No other versions are explicitly mentioned as impacted, and no vendor has issued a patch at the time of this report.", "description_and_impact": "In OpenAirInterface V2.2.0 AMF, out\u2011of\u2011sequence messages trigger an incorrect state transition during the UE registration procedure. This flaw permits an attacker to bypass authentication entirely by sending a SecurityModeComplete message after an InitialUERegistration; the AMF first rejects and then accepts the registration, leading the UE to be registered without proper credentials. The vulnerability is a form of improper authentication and could allow an unauthenticated user to gain network access.", "risk_and_exploitability": "A CVSS score is not provided in the CVE record, and the EPSS value is unavailable, but the nature of the flaw suggests high severity because it lifts authentication requirements completely. It is inferred that the attack could be executed remotely by an entity that can send crafted signalling messages over the radio interface to the AMF. No public exploit is known, and the vulnerability is not listed in CISA\u2019s KEV catalog; however, the lack of mitigation guidance implies that operators should consider the risk critical until a vendor update is available."}}}}, "created": "2026-04-08T19:50:28.124863+00:00", "title": "Authentication Bypass via Out-of-Sequence Messages in OpenAirInterface AMF", "updated": "2026-04-09T08:24:36.607413+00:00", "vendors": ["openairinterface", "openairinterface$PRODUCT$oai-cn5g-amf"], "weaknesses": ["CWE-287"]}