CVE-2026-40246: free5GC UDR Auth Bypass Vulnerability

CVE-2026-40246 Overview

CVE-2026-40246 is an Improper Authorization vulnerability in free5GC, an open-source implementation of the 5G core network. In versions 1.4.2 and below of the UDR (Unified Data Repository) service, the handler responsible for deleting Traffic Influence Subscriptions contains a critical logic flaw. While the handler checks whether the influenceId path segment equals subs-to-notify, it fails to return after sending the HTTP 404 response when validation fails. This allows execution to continue and delete the subscription regardless of the validation outcome.

Critical Impact

An unauthenticated attacker with network access to the 5G Service Based Interface can delete arbitrary Traffic Influence Subscriptions, potentially disrupting traffic management and QoS policies across the 5G core network.

Affected Products

• free5GC UDR Service version 1.4.2 and below
• free5GC 5G Core Network implementations using vulnerable UDR versions

Discovery Timeline

• 2026-04-16 - CVE-2026-40246 published to NVD
• 2026-04-16 - Last updated in NVD database

Technical Details for CVE-2026-40246

Vulnerability Analysis

This vulnerability is classified under CWE-285 (Improper Authorization). The flaw exists in the UDR service's Traffic Influence Subscription deletion handler. The core issue is a missing control flow statement—specifically, the absence of a return statement after sending an HTTP 404 response when input validation fails. This is a classic example of fall-through logic where error handling code correctly identifies an invalid condition but fails to halt further execution.

The vulnerability allows an attacker to bypass the authorization check entirely. When a request is made with any arbitrary value for the influenceId path segment, the validation logic detects the mismatch and sends a 404 Not Found response. However, because the function does not terminate at this point, execution continues to the deletion logic, and the subscription is removed from the system despite the misleading error response.

Root Cause

The root cause is a missing return statement in the validation logic within the UDR service's Traffic Influence Subscription deletion handler. After the handler checks if influenceId equals subs-to-notify and determines the validation has failed, it correctly sends an HTTP 404 response. However, the absence of a subsequent return statement allows program execution to fall through to the deletion code path. This results in the subscription being deleted regardless of whether the validation succeeded or failed, creating an authorization bypass condition.

Attack Vector

The attack vector is network-based, requiring access to the 5G Service Based Interface. An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP DELETE request to the UDR service endpoint for Traffic Influence Subscriptions. The attacker can supply any arbitrary value for the influenceId path parameter.

The exploitation mechanism works as follows: the attacker sends a DELETE request to the Traffic Influence Subscription endpoint. The server validates the influenceId parameter, finds it does not match the expected value, and returns a 404 Not Found response. Despite the error response, the backend continues execution and deletes the target subscription. The attacker receives a 404 response which may mislead them into thinking the operation failed, when in fact the deletion was successfully executed. This behavior can be exploited to delete any Traffic Influence Subscription in the system, potentially disrupting QoS policies, traffic steering rules, and overall 5G network traffic management. For technical details, see the GitHub Security Advisory.

Detection Methods for CVE-2026-40246

Indicators of Compromise

• Unexpected deletion of Traffic Influence Subscriptions in the UDR database
• HTTP DELETE requests to Traffic Influence Subscription endpoints with unusual or arbitrary influenceId values
• Discrepancy between 404 response logs and actual database state changes

Detection Strategies

• Monitor HTTP DELETE requests to UDR Traffic Influence Subscription endpoints for anomalous patterns
• Implement database audit logging to track subscription deletions and correlate with API responses
• Deploy network traffic analysis on the Service Based Interface to detect unauthorized access attempts

Monitoring Recommendations

• Enable comprehensive logging for all UDR service API operations, particularly DELETE requests
• Set up alerts for unexpected subscription deletions or rapid deletion patterns
• Implement integrity monitoring for Traffic Influence Subscription records in the UDR database

How to Mitigate CVE-2026-40246

Immediate Actions Required

• Restrict network access to the 5G Service Based Interface to trusted network segments only
• Implement additional authentication and authorization controls at the network perimeter
• Monitor UDR service logs for suspicious deletion activity
• Consider temporarily disabling the Traffic Influence Subscription deletion endpoint if operationally feasible

Patch Information

A patched version was not available at the time of publication. Organizations should monitor the free5GC GitHub repository for security updates and apply patches as soon as they become available.

Workarounds

• Deploy network segmentation to isolate the Service Based Interface from untrusted networks
• Implement Web Application Firewall (WAF) rules to validate and restrict Traffic Influence Subscription API requests
• Apply custom code patches to add the missing return statement after the 404 response in the vulnerable handler
• Enable strict access control lists (ACLs) on network equipment protecting the 5G core components

# Example: Network segmentation using iptables to restrict access to UDR service
# Restrict access to UDR service port (example port 8080) to trusted management network only
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP