CVE-2026-40247

Name of the Vulnerable Software and Affected Versions free5GC versions 4.2.1 and earlier

Description An improper path validation issue exists in the UDR service. The endpoint 'GET /nudr-dr/v2/application-data/influenceData/{influenceId}/{subscriptionId}' is designed to operate only when the influenceId path segment is exactly 'subs-to-notify'. However, the function HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdGet fails to stop execution after sending an HTTP 404 response when validation fails. This allows an unauthenticated attacker with access to the 5G Service Based Interface to read arbitrary Traffic Influence Subscriptions, including SUPIs/IMSIs, DNNs, S-NSSAIs, and callback URIs, by providing any value for the influenceId variable.

Recommendations Update free5GC to a version where the HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdGet function in the UDR service includes a return statement after the 404 error response is sent.