CVE-2026-40245
Published: 16 April 2026
Summary
CVE-2026-40245 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Free5Gc Free5Gc. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Proper error handling ensures execution terminates after sending HTTP 400 for missing or malformed query parameters, preventing disclosure of sensitive SUPI/IMSI in the response body.
Enforces authentication and authorization requirements for access to the UDR service endpoint, blocking unauthenticated requests that could exploit the vulnerability.
Filters sensitive subscriber identifiers from API responses, mitigating unintended inclusion of Traffic Influence Subscriptions data even if processing continues erroneously.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables unauthenticated retrieval of sensitive subscriber data (SUPI/IMSI) from the UDR information repository/database via the exposed SBI endpoint.
NVD Description
Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions 4.2.1 and below contain an information disclosure vulnerability in the UDR (Unified Data Repository) service. The handler for GET /nudr-dr/v2/application-data/influenceData/subs-to-notify sends an HTTP 400 error…
more
response when required query parameters are missing but does not return afterward. Execution continues into the processor function, which queries the data repository and appends the full list of Traffic Influence Subscriptions, including SUPI/IMSI values, to the response body. An unauthenticated attacker with network access to the 5G Service Based Interface can retrieve stored subscriber identifiers with a single parameterless HTTP GET request. The SUPI is the most sensitive subscriber identifier in 5G networks, and its exposure undermines the privacy guarantees of the 3GPP SUCI concealment mechanism at the core network level. A similar bypass exists when sending a malformed snssai parameter due to the same missing return pattern.
Deeper analysisAI
CVE-2026-40245 is an information disclosure vulnerability affecting Free5GC, an open-source Linux Foundation project for 5G mobile core networks, in versions 4.2.1 and below. The issue resides in the Unified Data Repository (UDR) service, where the handler for the GET /nudr-dr/v2/application-data/influenceData/subs-to-notify endpoint responds with an HTTP 400 error for missing required query parameters but fails to return, allowing execution to continue into the processor function. This appends the full list of Traffic Influence Subscriptions, including sensitive SUPI/IMSI subscriber identifiers, to the response body. A similar bypass occurs with a malformed snssai parameter due to the same missing return pattern. The vulnerability is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWEs 200, 202, and 209.
An unauthenticated attacker with network access to the 5G Service Based Interface (SBI) can exploit this by sending a single parameterless HTTP GET request to the vulnerable endpoint, retrieving the complete list of stored subscriber identifiers. The exposure of SUPI, the most sensitive subscriber identifier in 5G networks, undermines the privacy protections of the 3GPP SUCI concealment mechanism at the core network level, potentially enabling tracking, impersonation, or further attacks on subscribers.
For mitigation details, refer to the official GitHub security advisory at https://github.com/free5gc/free5gc/security/advisories/GHSA-wrwh-rpq4-87hf.
Details
- CWE(s)