CVE-2026-40245 Overview
CVE-2026-40245 is an information disclosure vulnerability affecting the Unified Data Repository (UDR) service in Free5GC, an open-source Linux Foundation project for 5th generation (5G) mobile core networks. The vulnerability allows unauthenticated attackers with network access to the 5G Service Based Interface (SBI) to retrieve sensitive subscriber identifiers, including SUPI/IMSI values, through a simple HTTP GET request.
The flaw exists in the handler for GET /nudr-dr/v2/application-data/influenceData/subs-to-notify, which sends an HTTP 400 error response when required query parameters are missing but fails to return afterward. This missing return statement allows execution to continue into the processor function, which queries the data repository and appends the full list of Traffic Influence Subscriptions to the response body.
Critical Impact
Exposure of SUPI (Subscription Permanent Identifier), the most sensitive subscriber identifier in 5G networks, undermines the privacy guarantees of the 3GPP SUCI concealment mechanism at the core network level.
Affected Products
- Free5GC versions 4.2.1 and below
- Free5GC UDR (Unified Data Repository) Service
Discovery Timeline
- 2026-04-16 - CVE CVE-2026-40245 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-40245
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw stems from improper control flow in the UDR service's HTTP request handler. When an attacker sends a parameterless GET request to the vulnerable endpoint, the handler correctly identifies the missing required parameters and attempts to return an HTTP 400 error. However, the handler function fails to terminate execution after sending the error response.
As a result, program execution continues into the processor function, which proceeds to query the underlying data repository without proper authorization checks. The processor retrieves all stored Traffic Influence Subscriptions and appends them to the response body. This data includes SUPI (Subscription Permanent Identifier) and IMSI (International Mobile Subscriber Identity) values for subscribers.
The SUPI is particularly sensitive as it serves as the permanent identifier for subscribers in 5G networks. The 3GPP standards specifically designed the SUCI (Subscription Concealed Identifier) mechanism to protect the SUPI from being transmitted in cleartext over the air interface. This vulnerability effectively bypasses those privacy protections at the core network level.
Root Cause
The root cause is a missing return statement after sending the HTTP 400 error response in the request handler. This is a common programming pattern error where developers correctly identify an error condition and generate an appropriate error response but fail to halt further execution. The pattern affects both the missing query parameter case and the malformed snssai parameter case, indicating a systematic coding error in the handler implementation.
Attack Vector
An unauthenticated attacker with network access to the 5G Service Based Interface can exploit this vulnerability by sending a single parameterless HTTP GET request to the /nudr-dr/v2/application-data/influenceData/subs-to-notify endpoint. No authentication or special privileges are required. The attack can be executed remotely over the network with low complexity.
A similar bypass exists when sending a malformed snssai parameter, which triggers the same missing return pattern and exposes the same sensitive subscriber data. For full technical details regarding the exploitation mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-40245
Indicators of Compromise
- Unusual HTTP GET requests to /nudr-dr/v2/application-data/influenceData/subs-to-notify without required query parameters
- HTTP 400 responses that contain unexpected JSON data in the response body beyond the error message
- Network connections to the UDR service SBI interface from unauthorized IP addresses
- Log entries showing access to Traffic Influence Subscription data without corresponding authenticated sessions
Detection Strategies
- Monitor HTTP request logs for parameterless or malformed requests to the vulnerable UDR endpoint
- Implement network-level access controls to restrict SBI interface access to authorized network functions only
- Deploy web application firewalls (WAF) to detect and block suspicious requests to 5G core service endpoints
- Configure SentinelOne Singularity XDR to monitor for unusual network activity targeting 5G core infrastructure
Monitoring Recommendations
- Enable detailed logging on the UDR service to capture all incoming HTTP requests and responses
- Set up alerts for HTTP 400 responses that exceed expected response body sizes
- Monitor for reconnaissance activity targeting 5G SBI endpoints
- Implement network segmentation monitoring between 5G core components
How to Mitigate CVE-2026-40245
Immediate Actions Required
- Restrict network access to the 5G SBI interface to only authorized network functions and management systems
- Deploy network segmentation to isolate the UDR service from untrusted network segments
- Monitor for exploitation attempts using the detection strategies outlined above
- Review UDR service logs for evidence of prior exploitation
Patch Information
Organizations running affected versions of Free5GC should upgrade to a patched version as soon as one becomes available. Monitor the GitHub Security Advisory for patch release announcements and update instructions. After patching, verify the fix by testing that parameterless requests to the affected endpoint return only the HTTP 400 error without any subscriber data.
Workarounds
- Implement strict network access controls to limit access to the UDR SBI interface to only trusted network functions
- Deploy a reverse proxy or API gateway in front of the UDR service to validate required query parameters before forwarding requests
- Use network segmentation and firewall rules to prevent unauthorized access to 5G core service endpoints
- Consider deploying an intrusion prevention system (IPS) with custom rules to block requests matching the exploitation pattern
# Example iptables rule to restrict access to UDR SBI interface
# Adjust interface and IP ranges for your environment
iptables -A INPUT -p tcp --dport 29504 -s <trusted_nf_subnet> -j ACCEPT
iptables -A INPUT -p tcp --dport 29504 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
