CVE-2026-40248
Received Received - Intake
Unauthorized Traffic Influence Subscription Creation in free5GC UDR Service

Publication date: 2026-04-16

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404 response when validation fails. Execution continues and the subscription is created or overwritten regardless. An unauthenticated attacker with access to the 5G Service Based Interface can create or overwrite arbitrary Traffic Influence Subscriptions, including injecting attacker-controlled notificationUri values and arbitrary SUPIs, by supplying any value for the influenceId path segment. A patched version was not available at the time of publication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40248
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc free5gc to 4.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-636 When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions 4.2.1 and below of the UDR service. The issue occurs in the handler responsible for creating or updating Traffic Influence Subscriptions. When the handler checks if the influenceId path segment equals 'subs-to-notify' and the validation fails, it sends an HTTP 404 response but does not stop execution. As a result, the subscription is still created or overwritten.

An unauthenticated attacker with access to the 5G Service Based Interface can exploit this flaw by supplying any value for the influenceId path segment. This allows the attacker to create or overwrite arbitrary Traffic Influence Subscriptions, including injecting attacker-controlled notificationUri values and arbitrary SUPIs.

Impact Analysis

This vulnerability can have serious impacts because it allows an unauthenticated attacker to create or overwrite Traffic Influence Subscriptions within the 5G core network. This could lead to unauthorized manipulation of network traffic influence settings.

  • Injection of attacker-controlled notificationUri values, potentially redirecting notifications or data.
  • Creation or overwriting of subscriptions with arbitrary SUPIs, which could affect subscriber identity management.

Overall, this could disrupt network operations, compromise subscriber data integrity, and potentially enable further attacks within the 5G network infrastructure.

Compliance Impact

The vulnerability allows an unauthenticated attacker to create or overwrite arbitrary Traffic Influence Subscriptions in the free5GC UDR service, potentially injecting attacker-controlled data. This unauthorized access and manipulation of subscription data could lead to violations of data protection and privacy requirements mandated by standards such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Specifically, the ability to inject arbitrary SUPIs (Subscriber Permanent Identifiers) and notification URIs without authentication may result in unauthorized disclosure or modification of subscriber data, undermining confidentiality and integrity requirements.

Therefore, this vulnerability poses a significant risk to compliance with regulations that mandate protection of personal data and secure access controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40248. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart