Description
free5GC is an open-source implementation of the 5G core network. In versions 1.4.2 and below of the UDR service, the handler for deleting Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404 response when validation fails. Execution continues and the subscription is deleted regardless. An unauthenticated attacker with access to the 5G Service Based Interface can delete arbitrary Traffic Influence Subscriptions by supplying any value for the influenceId path segment, while the API misleadingly returns a 404 Not Found response. A patched version was not available at the time of publication.
Published: 2026-04-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of Traffic Influence Subscriptions by unauthenticated users
Action: Assess Impact
AI Analysis

Impact

In the UDR service of free5GC, the delete handler for Traffic Influence Subscriptions verifies that the influenceId in the URL is "subs-to-notify" but fails to abort execution after returning a 404 response when validation fails. As a result, regardless of the supplied influenceId value, the handler continues and removes the subscription from the system. The flaw permits an attacker without authentication to delete any Traffic Influence Subscriptions simply by issuing a delete request to the 5G Service Based Interface. The API misleads the caller with a 404 response while the subscription is actually removed, masking the action.

Affected Systems

The vulnerability affects the free5gc UDR service in versions 1.4.2 and earlier. Only the free5gc:free5gc product is impacted; other free5gc components are unaffected.

Risk and Exploitability

The CVSS score of 8.7 marks this as high severity, and its EPSS score is not available; the issue has not been catalogued in KEV. An unauthenticated attacker can exploit the flaw by sending a delete request over the 5G Service Based Interface. Because no authentication or authorization check is performed, the attacker can target any Traffic Influence Subscription, potentially disrupting service notifications or traffic management policies.

Generated by OpenCVE AI on April 17, 2026 at 02:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Limit access to the 5G Service Based Interface to authenticated and authorized users only
  • Apply a vendor‑released patch for free5gc UDR when it becomes available
  • Implement additional validation to ensure the influenceId equals the allowed value before processing a deletion request
  • Monitor logs for unauthorized delete attempts and investigate anomalies promptly

Generated by OpenCVE AI on April 17, 2026 at 02:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g9cw-qwhf-24jp free5gc UDR improper path validation allows unauthenticated deletion of Traffic Influence Subscriptions
History

Sat, 18 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Thu, 16 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. In versions 1.4.2 and below of the UDR service, the handler for deleting Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404 response when validation fails. Execution continues and the subscription is deleted regardless. An unauthenticated attacker with access to the 5G Service Based Interface can delete arbitrary Traffic Influence Subscriptions by supplying any value for the influenceId path segment, while the API misleadingly returns a 404 Not Found response. A patched version was not available at the time of publication.
Title free5gc UDR improper path validation allows unauthenticated deletion of Traffic Influence Subscriptions
Weaknesses CWE-285
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-18T02:46:14.355Z

Reserved: 2026-04-10T17:31:45.786Z

Link: CVE-2026-40246

cve-icon Vulnrichment

Updated: 2026-04-18T02:46:04.854Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-16T22:16:38.370

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T02:30:07Z

Weaknesses