CVE-2026-40246
Published: 16 April 2026
Summary
CVE-2026-40246 is a high-severity Improper Authorization (CWE-285) vulnerability in Free5Gc Free5Gc. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-24 (Fail in Known State).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
The vulnerability is a direct failure to enforce approved authorizations for deleting Traffic Influence Subscriptions after path segment validation.
Flawed error handling sends a 404 response on validation failure but allows execution to continue, enabling unauthorized subscription deletion.
The handler fails to return to a secure state after validation failure, instead proceeding with the deletion operation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is in a public-facing 5G SBI API endpoint (UDR service) and is directly exploited by an unauthenticated network attacker sending a crafted DELETE request, matching T1190 Exploit Public-Facing Application.
NVD Description
free5GC is an open-source implementation of the 5G core network. In versions 1.4.2 and below of the UDR service, the handler for deleting Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending…
more
the HTTP 404 response when validation fails. Execution continues and the subscription is deleted regardless. An unauthenticated attacker with access to the 5G Service Based Interface can delete arbitrary Traffic Influence Subscriptions by supplying any value for the influenceId path segment, while the API misleadingly returns a 404 Not Found response. A patched version was not available at the time of publication.
Deeper analysisAI
CVE-2026-40246 affects the UDR service in free5GC, an open-source implementation of the 5G core network, in versions 1.4.2 and prior. The vulnerability resides in the handler for deleting Traffic Influence Subscriptions, which validates whether the influenceId path segment matches subs-to-notify. Upon validation failure, it sends an HTTP 404 Not Found response but fails to halt execution, allowing the subscription deletion to proceed regardless. This flaw, classified under CWE-285 (Improper Authorization), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact potential.
An unauthenticated attacker with network access to the 5G Service Based Interface can exploit this by sending a DELETE request with an arbitrary influenceId value in the path segment. The API will misleadingly return a 404 response, masking the successful deletion of any target Traffic Influence Subscription. This enables disruption of policy and charging control mechanisms reliant on these subscriptions within the 5G core.
The GitHub security advisory (GHSA-g9cw-qwhf-24jp) details the issue but notes no patched version was available at the time of publication on 2026-04-16. Security practitioners should monitor the free5GC repository for updates, restrict Service Based Interface exposure, and implement network-level access controls until a fix emerges.
Details
- CWE(s)