CVE-2026-40245 Overview
CVE-2026-40245 is an information disclosure vulnerability in Free5GC, an open-source Linux Foundation 5G mobile core network project. The flaw exists in the Unified Data Repository (UDR) service in versions 4.2.1 and below. The handler for GET /nudr-dr/v2/application-data/influenceData/subs-to-notify sends an HTTP 400 error when required query parameters are missing but fails to return afterward. Execution continues into the processor, which appends the full list of Traffic Influence Subscriptions, including Subscription Permanent Identifier (SUPI) and International Mobile Subscriber Identity (IMSI) values, to the response body. An unauthenticated attacker on the 5G Service Based Interface can retrieve stored subscriber identifiers with a single parameterless HTTP GET request.
Critical Impact
Exposure of SUPI/IMSI subscriber identifiers undermines the privacy guarantees of the 3GPP SUCI concealment mechanism at the core network level.
Affected Products
- Free5GC versions 4.2.1 and below
- UDR (Unified Data Repository) service component
- 5G Service Based Interface (SBI) endpoints exposing nudr-dr/v2/application-data/influenceData
Discovery Timeline
- 2026-04-16 - CVE-2026-40245 published to NVD
- 2026-04-21 - Last updated in NVD database
Technical Details for CVE-2026-40245
Vulnerability Analysis
The vulnerability resides in the UDR microservice handler for the subs-to-notify endpoint under application-data/influenceData. When the handler receives a request missing required query parameters, it writes an HTTP 400 response but does not invoke a return statement. The Go handler then proceeds to call the processor function as if the request were valid. The processor queries the underlying data repository for all Traffic Influence Subscriptions and serializes the result list to the response body. This data structure contains SUPI and IMSI fields tied to active subscriptions. A second variant of the bug exists when a malformed snssai parameter is supplied, where the same missing-return pattern allows execution to fall through into data disclosure.
The weakness is classified as [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
Root Cause
The defect is a control flow error in the UDR handler. The validation branch logs an error and writes a status code to the response writer but does not terminate handler execution. Go HTTP handlers must explicitly return after sending an error response to prevent subsequent code from writing additional content. The processor function downstream performs no independent authorization or parameter re-validation before serializing repository contents.
Attack Vector
The attack requires network access to the 5G Service Based Interface where the UDR exposes its REST API. No authentication, user interaction, or privileges are required. An attacker issues an HTTP GET request to /nudr-dr/v2/application-data/influenceData/subs-to-notify with no query parameters. The server returns HTTP 400 followed by a JSON body containing the complete Traffic Influence Subscription list with SUPI/IMSI values. The SUPI is the most sensitive long-term subscriber identifier in 5G; its disclosure enables subscriber tracking and bypasses the SUCI concealment that 3GPP defines for the radio interface.
No verified public proof-of-concept code is available. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-40245
Indicators of Compromise
- HTTP GET requests to /nudr-dr/v2/application-data/influenceData/subs-to-notify with no query parameters or with malformed snssai values
- HTTP 400 responses from the UDR service that carry a non-empty JSON body containing supi or imsi fields
- Unusual access patterns to UDR SBI endpoints originating from network segments that should not communicate with the UDR
Detection Strategies
- Inspect UDR access logs for GET requests to subs-to-notify endpoints that return HTTP 400 with response body sizes greater than expected for an error message
- Deploy network IDS signatures that match HTTP requests to the affected URI lacking required parameters
- Correlate UDR query volume against expected NF-to-NF traffic baselines on the SBI
Monitoring Recommendations
- Forward UDR and SBI gateway logs into a centralized analytics platform for retroactive hunting
- Alert on any unauthenticated access attempts to UDR endpoints from outside the 5G core trust boundary
- Track response payload sizes for 4xx responses on nudr-dr/v2 paths to surface anomalous data leakage
How to Mitigate CVE-2026-40245
Immediate Actions Required
- Upgrade Free5GC to a release above version 4.2.1 that includes the fix referenced in the GitHub Security Advisory
- Restrict network access to the UDR Service Based Interface to authorized 5G network functions only
- Audit UDR logs for prior unauthenticated requests to influenceData/subs-to-notify and assess subscriber exposure
Patch Information
The Free5GC maintainers published advisory GHSA-wrwh-rpq4-87hf describing the issue and remediation. Apply the fixed version that adds the missing return after the parameter validation error response and enforces re-validation in the processor function.
Workarounds
- Place a reverse proxy or API gateway in front of the UDR that rejects requests to subs-to-notify missing the required supi, gpsi, or snssai parameters
- Enforce mutual TLS and OAuth2 token validation on the SBI per 3GPP TS 33.501 to limit caller identity
- Apply network segmentation so the UDR is reachable only from peer NFs such as the NEF and PCF
# Example nginx rule to block parameterless requests to the vulnerable endpoint
location /nudr-dr/v2/application-data/influenceData/subs-to-notify {
if ($args !~* "(supi|gpsi|snssai)=") {
return 403;
}
proxy_pass http://udr-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
