CVE-2026-40245
Information Disclosure in Free5GC UDR Exposes Subscriber Identifiers
Publication date: 2026-04-16
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | to 4.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-202 | When trying to keep information confidential, an attacker can often infer some of the information by using statistics. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40245 is an information disclosure vulnerability in the Unified Data Repository (UDR) service of free5GC versions 4.2.1 and below. The vulnerability occurs in the GET endpoint /nudr-dr/v2/application-data/influenceData/subs-to-notify, which is supposed to require certain query parameters to filter results. When these parameters are missing, the service sends an HTTP 400 error response but fails to stop execution afterward. As a result, it continues processing and returns the full list of Traffic Influence Subscriptions, including sensitive subscriber identifiers such as SUPI and IMSI, in the response body.
This means an unauthenticated attacker with network access to the 5G Service Based Interface can retrieve sensitive subscriber identifiers by sending a simple parameterless HTTP GET request. The vulnerability also exists when a malformed snssai parameter is sent, due to a similar missing return statement after error handling.
The flaw undermines the privacy guarantees of the 3GPP SUCI concealment mechanism at the core network level by exposing permanent subscriber identifiers. It requires no authentication, privileges, or user interaction, making it highly exploitable.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of highly sensitive subscriber information, specifically the SUPI and IMSI identifiers, which are permanent and unique to each subscriber in 5G networks.
An attacker with network access to the 5G Service Based Interface can exploit this flaw without any authentication or privileges by sending a simple HTTP GET request without required parameters. This can result in unauthorized disclosure of subscriber identities.
Such exposure compromises subscriber privacy and can facilitate further attacks such as tracking, profiling, or targeted attacks against subscribers.
The vulnerability may arise in environments where the 5G Service Based Interface is exposed to untrusted networks due to misconfiguration, rogue network functions, or compromised hosts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending an unauthenticated HTTP GET request without any query parameters to the vulnerable endpoint and observing the response.
Specifically, you can test the endpoint `/nudr-dr/v2/application-data/influenceData/subs-to-notify` on the 5G Service Based Interface (SBI) of free5GC versions 4.2.1 and below.
A simple command using curl to detect the vulnerability would be:
- curl -i -X GET http://<free5gc-udr-ip>:<port>/nudr-dr/v2/application-data/influenceData/subs-to-notify
If the response status is HTTP 400 but the body contains a list of Traffic Influence Subscriptions including SUPI/IMSI values, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch provided by the free5GC project that adds missing return statements after sending HTTP 400 error responses in the vulnerable handler function.
This patch ensures that no subscriber data is included in error responses, preventing information leakage.
Additionally, restrict network access to the 5G Service Based Interface (SBI) to trusted networks only, preventing unauthenticated attackers from reaching the vulnerable endpoint.
Review and correct any misconfigurations that expose the SBI to untrusted networks, and monitor for rogue network functions or compromised hosts that could exploit this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability leads to the exposure of highly sensitive subscriber permanent identifiers (SUPI/IMSI) without authentication, which undermines privacy protections at the core network level.
Such unauthorized disclosure of personal subscriber information can violate privacy and data protection regulations like GDPR, which require the protection of personally identifiable information and mandate strict controls on data access and leakage.
By leaking subscriber identifiers through improperly handled error responses, the vulnerability compromises confidentiality and could result in non-compliance with standards that enforce data privacy and security.