Summary
An information disclosure vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface (SBI) to retrieve stored subscriber identifiers (SUPI/IMSI) with a single HTTP GET request requiring no parameters or credentials.
Details
The endpoint GET /nudr-dr/v2/application-data/influenceData/subs-to-notify (defined in 3GPP TS 29.519) requires at least one query parameter (dnns, snssais, supis, or internalGroupIds) to filter results.
In the free5GC UDR implementation, the input validation is present but ineffective because the handler does not return after sending the HTTP 400 error. The request handling flow is:
- The function
HandleApplicationDataInfluenceDataSubsToNotifyGetin./free5gc_4-2-1/free5gc/NFs/udr/internal/sbi/api_datarepository.go(around line 2793) checks whether all ofdnn,snssai,internalGroupId,
andsupiare empty. - If they are all empty, it builds a
problemDetailsstructure and callsc.JSON(http.StatusBadRequest, problemDetails)to send a 400 response, but it does not return afterwards. - Execution continues and the handler still calls
s.Processor().ApplicationDataInfluenceDataSubsToNotifyGetProcedure(c, dnn,snssai, internalGroupId, supi)defined in./free5gc_4-2-1/free5gc/NFs/udr/internal/sbi/processor/influence_data_subscriptions_collection.go. - This processor function queries the data repository and writes the full list of Traffic Influence Subscriptions to the HTTP response body, including
supisfields with SUPI/IMSI values.
As a result, a request without any query parameters produces a response where the HTTP status is 400 Bad Request, but the body contains both the error object and the full subscription list.
The missing return after sending the 400 response in api_datarepository.go is the root cause of this vulnerability.
PoC
No authentication, no prior knowledge of any subscriber identifier required.
curl -v "http://<udr-host>/nudr-dr/v2/application-data/influenceData/subs-to-notify"
Response (HTTP 400):
{"status":400,"detail":"At least one of DNNs, S-NSSAIs, Internal Group IDs or SUPIs shall be provided"}
[{"dnns":["internet"],
"snssais":[{"sst":1,"sd":"000001"}],
"supis":["imsi-222777483957498"],
"notificationUri":"http://pcf.../npcf-callback/v1/nudr-notify/influence-data/imsi-222777483957498/1"}]
Impact
This is an unauthenticated information disclosure vulnerability. Any attacker with network access to the SBI (Service Based Interface) can enumerate SUPIs (Subscriber Permanent Identifiers / IMSI values) of registered users without any credentials or prior knowledge.
In a 5G network, the SUPI is the most sensitive subscriber identifier, its exposure breaks the privacy guarantees introduced by 3GPP with the SUCI (Subscription Concealed Identifier) mechanism, designed specifically to prevent SUPI tracking over the air. This vulnerability completely undermines that protection at the core network level.
Impacted deployments: any free5GC instance where the SBI is reachable by untrusted parties (e.g., misconfigured network segmentation, rogue NF, or compromised internal host).
Note: an additional trigger exists, sending a malformed snssai parameter also bypasses validation due to a missing return after the deserialization error handler, producing the same information disclosure.
CVE-2026-40245 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The vulnerability has been confirmed patched by adding the two missing return statements in NFs/udr/internal/sbi/api_datarepository.go, function HandleApplicationDataInfluenceDataSubsToNotifyGet:
- After the
c.JSON(http.StatusBadRequest, problemDetails)call in thesnssaideserialization error branch. - After the
c.JSON(http.StatusBadRequest, problemDetails)call in the empty parameters validation block.
With the patch applied, a request without any query parameters now correctly returns HTTP 400 with only the error message, and no subscriber data is included in the response body.
The fix has been verified: after applying the patch and recompiling the UDR, the endpoint GET /nudr-dr/v2/application-data/influenceData/subs-to-notify returns HTTP 400 with only:
{"status":400,"detail":"At least one of DNNs, S-NSSAIs, Internal Group IDs
or SUPIs shall be provided"}
No SUPI or subscription data is leaked.
Frequently Asked Questions
- What is CVE-2026-40245? CVE-2026-40245 is a high-severity security vulnerability in github.com/free5gc/udr (go), affecting versions <= 1.4.2. No fixed version is listed yet.
- How severe is CVE-2026-40245? CVE-2026-40245 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/free5gc/udr are affected by CVE-2026-40245? github.com/free5gc/udr (go) versions <= 1.4.2 is affected.
- Is there a fix for CVE-2026-40245? No fixed version is listed for CVE-2026-40245 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-40245 exploitable, and should I be worried? Whether CVE-2026-40245 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-40245 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.