CVE-2026-40246

Name of the Vulnerable Software and Affected Versions free5GC versions 1.4.2 and earlier

Description An improper path validation issue exists in the UDR service. An unauthenticated attacker with access to the 5G Service Based Interface can delete arbitrary Traffic Influence Subscriptions by providing any value for the influenceId path segment in the endpoint '/nudr-dr/v2/application-data/influenceData/{influenceId}/{subscriptionId}'. The function HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdDelete() checks if influenceId equals 'subs-to-notify' and sends an HTTP 404 response if it does not; however, it fails to stop execution. This allows the process to continue to the ApplicationDataInfluenceDataSubsToNotifySubscriptionIdDeleteProcedure() function, which deletes the subscription identified by subscriptionId despite the invalid path and the misleading 404 response.

Recommendations For versions 1.4.2 and earlier, add a return statement immediately after the HTTP 404 response is sent in the HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdDelete() function within the 'NFs/udr/internal/sbi/api datarepository.go' file to ensure execution stops when validation fails.