CVE-2026-40247
Received Received - Intake
Information Disclosure in free5GC UDR Service via Improper 404 Handling

Publication date: 2026-04-16

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for reading Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404 response when validation fails. Execution continues and the subscription data is returned alongside the 404 response. An unauthenticated attacker with access to the 5G Service Based Interface can read arbitrary Traffic Influence Subscriptions, including SUPIs/IMSIs, DNNs, S-NSSAIs, and callback URIs, by supplying any value for the influenceId path segment. A patched version was not available at the time of publication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40247
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc free5gc to 4.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-636 When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions 4.2.1 and below of the UDR service. The issue occurs in the handler responsible for reading Traffic Influence Subscriptions. When the handler checks if the influenceId path segment equals 'subs-to-notify' and the validation fails, it sends an HTTP 404 response but does not stop execution. As a result, the subscription data is still returned alongside the 404 response.

An unauthenticated attacker who has access to the 5G Service Based Interface can exploit this flaw by supplying any value for the influenceId path segment. This allows the attacker to read arbitrary Traffic Influence Subscriptions, which include sensitive information such as SUPIs/IMSIs, DNNs, S-NSSAIs, and callback URIs.

Impact Analysis

This vulnerability can have significant security impacts because it allows an unauthenticated attacker to access sensitive subscriber information without authorization. The attacker can read arbitrary Traffic Influence Subscriptions, exposing subscriber identifiers (SUPIs/IMSIs), network slice information (DNNs, S-NSSAIs), and callback URIs.

Such unauthorized access can lead to privacy breaches, potential tracking of subscribers, and exploitation of network services. Since the attacker does not need any privileges or user interaction, the risk is high.

Compliance Impact

This vulnerability allows an unauthenticated attacker to access sensitive subscriber information such as SUPIs/IMSIs, DNNs, S-NSSAIs, and callback URIs by exploiting the UDR service in free5GC versions 4.2.1 and below.

Exposure of such personally identifiable information (PII) and network data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls on unauthorized access to sensitive personal and health-related data.

Therefore, this vulnerability poses a risk to compliance with these standards by potentially enabling unauthorized disclosure of protected subscriber information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40247. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart