CVE-2026-40248

Name of the Vulnerable Software and Affected Versions free5GC UDR service versions prior to 4.2.1

Description An improper path validation issue exists in the UDR service. The handler for creating or updating Traffic Influence Subscriptions checks if the influenceId path segment equals 'subs-to-notify', but fails to stop execution after sending an HTTP 404 response when validation fails. This allows an unauthenticated attacker with access to the 5G Service Based Interface to create or overwrite arbitrary Traffic Influence Subscriptions by providing any value for the influenceId path segment. This can lead to the injection of attacker-controlled notificationUri values and arbitrary SUPIs. The issue occurs in the function HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdPut() at the endpoint '/nudr-dr/v2/application-data/influenceData/{influenceId}/{subscriptionId}'.

Recommendations Update the UDR service to a version where the HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdPut() function includes a return statement after the 404 response is sent. Restrict access to the 5G Service Based Interface to authorized entities only to minimize the risk of exploitation.