CVE-2026-40248
Unauthorized Traffic Influence Subscription Creation in free5GC UDR Service
Publication date: 2026-04-16
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | to 4.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-636 | When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions 4.2.1 and below of the UDR service. The issue occurs in the handler responsible for creating or updating Traffic Influence Subscriptions. When the handler checks if the influenceId path segment equals 'subs-to-notify' and the validation fails, it sends an HTTP 404 response but does not stop execution. As a result, the subscription is still created or overwritten.
An unauthenticated attacker with access to the 5G Service Based Interface can exploit this flaw by supplying any value for the influenceId path segment. This allows the attacker to create or overwrite arbitrary Traffic Influence Subscriptions, including injecting attacker-controlled notificationUri values and arbitrary SUPIs.
How can this vulnerability impact me? :
This vulnerability can have serious impacts because it allows an unauthenticated attacker to create or overwrite Traffic Influence Subscriptions within the 5G core network. This could lead to unauthorized manipulation of network traffic influence settings.
- Injection of attacker-controlled notificationUri values, potentially redirecting notifications or data.
- Creation or overwriting of subscriptions with arbitrary SUPIs, which could affect subscriber identity management.
Overall, this could disrupt network operations, compromise subscriber data integrity, and potentially enable further attacks within the 5G network infrastructure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an unauthenticated attacker to create or overwrite arbitrary Traffic Influence Subscriptions in the free5GC UDR service, potentially injecting attacker-controlled data. This unauthorized access and manipulation of subscription data could lead to violations of data protection and privacy requirements mandated by standards such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
Specifically, the ability to inject arbitrary SUPIs (Subscriber Permanent Identifiers) and notification URIs without authentication may result in unauthorized disclosure or modification of subscriber data, undermining confidentiality and integrity requirements.
Therefore, this vulnerability poses a significant risk to compliance with regulations that mandate protection of personal data and secure access controls.