Skip to main content

CVE-2026-40245

HIGH
Information Exposure (CWE-200)
2026-04-14 https://github.com/free5gc/udr GHSA-wrwh-rpq4-87hf
Information Disclosure Deserialization
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 21, 2026 - 14:15 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 16, 2026 - 00:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 00:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 22:36 vuln.today
Analysis Generated
Apr 14, 2026 - 20:31 vuln.today
CVE Published
Apr 14, 2026 - 20:00 nvd
HIGH 7.5

DescriptionGitHub Advisory

Summary

An information disclosure vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface (SBI) to retrieve stored subscriber identifiers (SUPI/IMSI) with a single HTTP GET request requiring no parameters or credentials.

Details

The endpoint GET /nudr-dr/v2/application-data/influenceData/subs-to-notify (defined in 3GPP TS 29.519) requires at least one query parameter (dnns, snssais, supis, or internalGroupIds) to filter results.

In the free5GC UDR implementation, the input validation is present but ineffective because the handler does not return after sending the HTTP 400 error. The request handling flow is:

  1. The function HandleApplicationDataInfluenceDataSubsToNotifyGet in ./free5gc_4-2-1/free5gc/NFs/udr/internal/sbi/api_datarepository.go (around line 2793) checks whether all of dnn, snssai, internalGroupId,

and supi are empty.

  1. If they are all empty, it builds a problemDetails structure and calls c.JSON(http.StatusBadRequest, problemDetails) to send a 400 response, but it does not return afterwards.
  2. Execution continues and the handler still calls s.Processor().ApplicationDataInfluenceDataSubsToNotifyGetProcedure(c, dnn,snssai, internalGroupId, supi) defined in ./free5gc_4-2-1/free5gc/NFs/udr/internal/sbi/processor/influence_data_subscriptions_collection.go.
  3. This processor function queries the data repository and writes the full list of Traffic Influence Subscriptions to the HTTP response body, including supis fields with SUPI/IMSI values.

As a result, a request without any query parameters produces a response where the HTTP status is 400 Bad Request, but the body contains both the error object and the full subscription list.

The missing return after sending the 400 response in api_datarepository.go is the root cause of this vulnerability.

PoC

No authentication, no prior knowledge of any subscriber identifier required.

bash
curl -v "http://<udr-host>/nudr-dr/v2/application-data/influenceData/subs-to-notify"

Response (HTTP 400):

json
{"status":400,"detail":"At least one of DNNs, S-NSSAIs, Internal Group IDs or SUPIs shall be provided"}
[{"dnns":["internet"],
  "snssais":[{"sst":1,"sd":"000001"}],
  "supis":["imsi-222777483957498"],
  "notificationUri":"http://pcf.../npcf-callback/v1/nudr-notify/influence-data/imsi-222777483957498/1"}]

Impact

This is an unauthenticated information disclosure vulnerability. Any attacker with network access to the SBI (Service Based Interface) can enumerate SUPIs (Subscriber Permanent Identifiers / IMSI values) of registered users without any credentials or prior knowledge.

In a 5G network, the SUPI is the most sensitive subscriber identifier - its exposure breaks the privacy guarantees introduced by 3GPP with the SUCI (Subscription Concealed Identifier) mechanism, designed specifically to prevent SUPI tracking over the air. This vulnerability completely undermines that protection at the core network level.

Impacted deployments: any free5GC instance where the SBI is reachable by untrusted parties (e.g., misconfigured network segmentation, rogue NF, or compromised internal host).

Note: an additional trigger exists - sending a malformed snssai parameter also bypasses validation due to a missing return after the deserialization error handler, producing the same information disclosure.

Patch

The vulnerability has been confirmed patched by adding the two missing return statements in NFs/udr/internal/sbi/api_datarepository.go, function HandleApplicationDataInfluenceDataSubsToNotifyGet:

  1. After the c.JSON(http.StatusBadRequest, problemDetails) call in the snssai deserialization error branch.
  2. After the c.JSON(http.StatusBadRequest, problemDetails) call in the empty parameters validation block.

With the patch applied, a request without any query parameters now correctly returns HTTP 400 with only the error message, and no subscriber data is included in the response body.

The fix has been verified: after applying the patch and recompiling the UDR, the endpoint GET /nudr-dr/v2/application-data/influenceData/subs-to-notify returns HTTP 400 with only:

{"status":400,"detail":"At least one of DNNs, S-NSSAIs, Internal Group IDs
or SUPIs shall be provided"}

No SUPI or subscription data is leaked.

AnalysisAI

Unauthenticated access to free5GC UDR subscriber identifiers exposes SUPI/IMSI values via unprotected 5G Service Based Interface endpoint. Missing return statements in free5GC UDR versions prior to 4.2.1 allow attackers to retrieve complete subscriber databases with a single parameterless HTTP GET request, undermining 3GPP SUCI privacy mechanisms. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain SBI network access
Delivery
Send HTTP GET to UDR endpoint
Exploit
Receive HTTP 400 with leaked subscriber data
Execution
Extract SUPI/IMSI identifiers
Impact
Enable subscriber tracking
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Network access to the 5G Service Based Interface (SBI) is required - specifically HTTP connectivity to the UDR component's /nudr-dr/v2/application-data/influenceData/subs-to-notify endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is highly deployment-dependent but potentially critical for vulnerable configurations. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker gains network access to the 5G core Service Based Interface, either through compromising a management workstation, exploiting a misconfigured firewall rule that exposes SBI endpoints, or pivoting from a compromised network function. The attacker issues a single HTTP GET request to the UDR endpoint without any query parameters: curl http://udr.5gcore.local/nudr-dr/v2/application-data/influenceData/subs-to-notify. …
Remediation Apply the vendor-released patch that adds missing return statements to NFs/udr/internal/sbi/api_datarepository.go in the HandleApplicationDataInfluenceDataSubsToNotifyGet function. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all free5GC UDR deployments and document current versions; isolate any pre-4.2.1 instances from untrusted network access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40245 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy