Description
free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.2, a fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify` POST handler to continue processing requests even after request body retrieval or deserialization errors. This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior. As of time of publication, a patched version is not available.
Published: 2026-04-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized creation of Policy Data notification subscriptions
Action: Monitor
AI Analysis

Impact

The flaw is a fail‑open handling bug in the UDR service that allows the /nudr-dr/v2/policy-data/subs-to-notify POST handler to continue processing requests after the request body has failed to be retrieved or deserialized. This can lead to unintentionally created subscriptions with invalid, empty, or partially processed input, potentially giving an attacker the ability to register unexpected notifications or alter data flow in the core network.

Affected Systems

The vulnerability affects the free5gc UDR component in all releases up to and including version 1.4.2. No later releases have been identified as remedied at the time of publication.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity risk. EPSS data is not available and the issue is not listed in the CISA KEV catalog, so current exploitation data is limited. The likely attack vector is remote, as the vulnerable endpoint is accessible over the network within the 5G core, allowing an attacker who can reach the UDR service to send crafted HTTP POST requests that trigger the fail‑open logic.

Generated by OpenCVE AI on April 22, 2026 at 06:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the /nudr-dr/v2/policy-data/subs-to-notify service to trusted IP ranges or subnets using firewall rules to prevent unauthorized access.
  • Implement network segmentation so that only authorized core network components can reach the UDR service, thereby limiting the attack surface for the vulnerable endpoint.
  • Enable detailed logging and alerting for attempts to create subscriptions via the affected endpoint, and review logs regularly to detect misuse or abnormal activity.

Generated by OpenCVE AI on April 22, 2026 at 06:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jwch-w7wh-gqjm free5GC UDR: Fail-open handling in PolicyDataSubsToNotifyPost allows unintended subscription creation
History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc udr
Vendors & Products Free5gc
Free5gc udr

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.2, a fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify` POST handler to continue processing requests even after request body retrieval or deserialization errors. This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior. As of time of publication, a patched version is not available.
Title free5GC UDR: Fail-open handling in PolicyDataSubsToNotifyPost allows unintended subscription creation
Weaknesses CWE-754
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Free5gc Udr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:12:25.224Z

Reserved: 2026-04-10T22:50:01.358Z

Link: CVE-2026-40343

cve-icon Vulnrichment

Updated: 2026-04-22T13:12:21.523Z

cve-icon NVD

Status : Received

Published: 2026-04-22T00:16:27.670

Modified: 2026-04-22T00:16:27.670

Link: CVE-2026-40343

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses