CVE-2026-40247
Information Disclosure in free5GC UDR Service via Improper 404 Handling
Publication date: 2026-04-16
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | to 4.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-636 | When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions 4.2.1 and below of the UDR service. The issue occurs in the handler responsible for reading Traffic Influence Subscriptions. When the handler checks if the influenceId path segment equals 'subs-to-notify' and the validation fails, it sends an HTTP 404 response but does not stop execution. As a result, the subscription data is still returned alongside the 404 response.
An unauthenticated attacker who has access to the 5G Service Based Interface can exploit this flaw by supplying any value for the influenceId path segment. This allows the attacker to read arbitrary Traffic Influence Subscriptions, which include sensitive information such as SUPIs/IMSIs, DNNs, S-NSSAIs, and callback URIs.
How can this vulnerability impact me? :
This vulnerability can have significant security impacts because it allows an unauthenticated attacker to access sensitive subscriber information without authorization. The attacker can read arbitrary Traffic Influence Subscriptions, exposing subscriber identifiers (SUPIs/IMSIs), network slice information (DNNs, S-NSSAIs), and callback URIs.
Such unauthorized access can lead to privacy breaches, potential tracking of subscribers, and exploitation of network services. Since the attacker does not need any privileges or user interaction, the risk is high.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated attacker to access sensitive subscriber information such as SUPIs/IMSIs, DNNs, S-NSSAIs, and callback URIs by exploiting the UDR service in free5GC versions 4.2.1 and below.
Exposure of such personally identifiable information (PII) and network data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls on unauthorized access to sensitive personal and health-related data.
Therefore, this vulnerability poses a risk to compliance with these standards by potentially enabling unauthorized disclosure of protected subscriber information.