CVE-2026-30080: OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported int

Description

OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context can lead to the possibility of replay attack.

Affected Products

Vendor	Product	Versions
—	n/a	n/a, 2.2.0

References

https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/78

Related News (1 articles)

Tier C

VulDB9h ago

CVE-2026-30080 | OpenAirInterface oai-cn5g-amf 2.2.0 Security Mode downgrade

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

PublishedApr 8, 2026

Last enriched8h agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 8, 2026

Discovered by ZDM

Apr 8, 2026

Updated: affectedVersions, severity, tags

Apr 8, 2026

Version History

Last enriched 8h ago

v2Tier C8h ago

Updated vendor to OpenAirInterface, product to oai-cn5g-amf, set severity to HIGH, and added tags related to downgrade and security.

affectedVersionsseveritytags

via VulDB

v19h ago

Initial creation