CVE-2026-40246
Improper Access Control in free5GC UDR Allows Subscription Deletion
Publication date: 2026-04-16
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | to 1.4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions 1.4.2 and below of the UDR service. The issue is in the handler responsible for deleting Traffic Influence Subscriptions. It checks if the influenceId path segment equals 'subs-to-notify', but even if this validation fails and an HTTP 404 response is sent, the code does not stop execution. As a result, the subscription is deleted regardless of the validation failure.
An unauthenticated attacker who has access to the 5G Service Based Interface can exploit this by supplying any value for the influenceId path segment. The API will misleadingly return a 404 Not Found response, but the deletion of arbitrary Traffic Influence Subscriptions still occurs.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker with access to the 5G Service Based Interface to delete arbitrary Traffic Influence Subscriptions. This can disrupt network traffic management and influence policies, potentially leading to denial of service or degraded network performance for users relying on those subscriptions.