Description
free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for reading Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404 response when validation fails. Execution continues and the subscription data is returned alongside the 404 response. An unauthenticated attacker with access to the 5G Service Based Interface can read arbitrary Traffic Influence Subscriptions, including SUPIs/IMSIs, DNNs, S-NSSAIs, and callback URIs, by supplying any value for the influenceId path segment. A patched version was not available at the time of publication.
Published: 2026-04-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Read of Sensitive Subscription Data
Action: Patch
AI Analysis

Impact

In free5GC UDR service versions 4.2.1 or older, the endpoint that returns Traffic Influence Subscriptions validates the influenceId path segment but fails to terminate execution after sending a 404. Consequently, it still sends the subscription data in the response body. Because the endpoint does not require authentication, an unauthenticated actor with reach to the 5G SBI can request any influenceId and obtain subscription details such as SUPIs, IMSIs, DNNs, S‑NSSAIs, and callback URIs. This falls under improper authorization and incorrect input validation weaknesses.

Affected Systems

The flaw impacts the free5GC implementation of the 5G core network, specifically the UDR (Unified Data Repository) service in releases 4.2.1 and earlier. The affected product is free5GC free5GC, and any deployment that exposes the UDR SBI endpoint without additional protection is susceptible.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7, indicating high severity. EPSS data is unavailable, so the probability of exploitation cannot be quantified, although the flaw allows data disclosure to any actor that can reach the SBI. The issue is not listed in CISA's KEV catalog. Because the attacker does not need credentials and only needs network access to the UDR service, targeted or opportunistic exploitation is likely where network segmentation is weak. Until a patch is released, the risk remains significant.

Generated by OpenCVE AI on April 17, 2026 at 02:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch or upgrade to a version newer than 4.2.1 when available.
  • Restrict network access to the UDR SBI endpoint using firewalls or ACLs so that only trusted devices can reach it.
  • Enforce authentication and TLS client certificates on all SBI traffic to ensure only authorized entities can invoke UDR services.
  • Monitor SBI logs for unexpected traffic or repeated 404 responses that may indicate blind exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x5r2-r74c-3w28 free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions
History

Fri, 17 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Thu, 16 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for reading Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404 response when validation fails. Execution continues and the subscription data is returned alongside the 404 response. An unauthenticated attacker with access to the 5G Service Based Interface can read arbitrary Traffic Influence Subscriptions, including SUPIs/IMSIs, DNNs, S-NSSAIs, and callback URIs, by supplying any value for the influenceId path segment. A patched version was not available at the time of publication.
Title free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions
Weaknesses CWE-285
CWE-636
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T18:44:09.831Z

Reserved: 2026-04-10T17:31:45.786Z

Link: CVE-2026-40247

cve-icon Vulnrichment

Updated: 2026-04-17T18:44:06.223Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-16T22:16:38.510

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T02:30:07Z

Weaknesses