CVE-2026-40245

Name of the Vulnerable Software and Affected Versions Free5GC versions 4.2.1 and earlier

Description An information disclosure issue exists in the UDR (Unified Data Repository) service. An unauthenticated attacker with network access to the 5G Service Based Interface can retrieve stored subscriber identifiers, specifically SUPI (Subscriber Permanent Identifier) and IMSI values, by sending a parameterless HTTP GET request to the endpoint '/nudr-dr/v2/application-data/influenceData/subs-to-notify'.

The issue occurs because the function HandleApplicationDataInfluenceDataSubsToNotifyGet sends an HTTP 400 error response when required query parameters are missing but fails to stop execution. This allows the process to continue into the processor function, which queries the data repository and appends the full list of Traffic Influence Subscriptions to the response body. A similar bypass occurs when providing a malformed snssai parameter. The exposure of the SUPI undermines the privacy guarantees of the 3GPP SUCI (Subscription Concealed Identifier) concealment mechanism at the core network level.

Recommendations For versions 4.2.1 and earlier, update the software to a version where the missing return statements are added to the HandleApplicationDataInfluenceDataSubsToNotifyGet function in the NFs/udr/internal/sbi/api datarepository.go file to ensure execution stops after an error response is sent.