Description
free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404 response when validation fails. Execution continues and the subscription is created or overwritten regardless. An unauthenticated attacker with access to the 5G Service Based Interface can create or overwrite arbitrary Traffic Influence Subscriptions, including injecting attacker-controlled notificationUri values and arbitrary SUPIs, by supplying any value for the influenceId path segment. A patched version was not available at the time of publication.
Published: 2026-04-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Subscription Creation/Modification
Action: Assess Impact
AI Analysis

Impact

An incomplete path validation in the free5gc UDR service allows an unauthenticated attacker to create or overwrite Traffic Influence Subscriptions, regardless of the influenceId supplied. This flaw enables an attacker to inject arbitrary notificationUri values and SUPIs, potentially redirecting traffic or exfiltrating data. The vulnerability is a form of improper access control and path injection (CWE-285 and CWE-636), providing the attacker with elevated control over subscription mechanisms without authentication.

Affected Systems

The issue affects the free5gc UDR service version 4.2.1 and any older releases. No official patch was available at the time of disclosure, and the vulnerability remains in all affected deployments that have not been updated.

Risk and Exploitability

The CVSS score of 8.7 signifies high severity. Although EPSS data is not available, the vulnerability is exploitable via the 5G Service Based Interface without authentication. The lack of a KEV listing does not diminish the risk; any system exposing the UDR may be vulnerable. Attackers can create or modify subscriptions remotely, potentially compromising data integrity and confidentiality in the network.

Generated by OpenCVE AI on April 17, 2026 at 02:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5gc to a patched version as soon as it becomes available.
  • Configure network or firewall rules to restrict unauthenticated access to the UDR Service Based Interface endpoints.
  • Enable logging and monitoring of Traffic Influence Subscription creation and updates to detect unauthorized activity.

Generated by OpenCVE AI on April 17, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jgq2-qv8v-5cmj free5gc UDR improper path validation allows unauthenticated creation and modification of Traffic Influence Subscriptions
History

Thu, 16 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Thu, 16 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404 response when validation fails. Execution continues and the subscription is created or overwritten regardless. An unauthenticated attacker with access to the 5G Service Based Interface can create or overwrite arbitrary Traffic Influence Subscriptions, including injecting attacker-controlled notificationUri values and arbitrary SUPIs, by supplying any value for the influenceId path segment. A patched version was not available at the time of publication.
Title free5gc UDR improper path validation allows unauthenticated creation and modification of Traffic Influence Subscriptions
Weaknesses CWE-285
CWE-636
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T21:57:13.101Z

Reserved: 2026-04-10T17:31:45.786Z

Link: CVE-2026-40248

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-16T22:16:38.657

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40248

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T02:30:07Z

Weaknesses