CVE-2026-40247
Published: 16 April 2026
Summary
CVE-2026-40247 is a high-severity Improper Authorization (CWE-285) vulnerability in Free5Gc Free5Gc. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Discovery (T1087); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations, directly addressing the improper authorization (CWE-285) that allows unauthorized access to sensitive Traffic Influence Subscriptions despite a failed validation check.
SC-7 monitors and controls communications at external interfaces, mitigating unauthenticated network access to the vulnerable 5G Service Based Interface endpoint.
SI-11 ensures error handling prevents information disclosure during validation failures, countering the CWE-636 'failing open' behavior that leaks subscription data after a 404 response.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthorized retrieval of subscriber identifiers (SUPIs/IMSIs) and network config data from UDR repository via flawed authorization check, directly facilitating account discovery (T1087) and data collection from information repositories/databases (T1213).
NVD Description
free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for reading Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending…
more
the HTTP 404 response when validation fails. Execution continues and the subscription data is returned alongside the 404 response. An unauthenticated attacker with access to the 5G Service Based Interface can read arbitrary Traffic Influence Subscriptions, including SUPIs/IMSIs, DNNs, S-NSSAIs, and callback URIs, by supplying any value for the influenceId path segment. A patched version was not available at the time of publication.
Deeper analysisAI
CVE-2026-40247 is a vulnerability in the UDR service of free5GC, an open-source implementation of the 5G core network, affecting versions 4.2.1 and below. The issue stems from improper handling in the endpoint for reading Traffic Influence Subscriptions: the code checks if the influenceId path segment matches subs-to-notify and sends an HTTP 404 response on failure, but does not halt execution. As a result, the full subscription data is disclosed alongside the 404. This flaw is classified under CWE-285 (Improper Authorization) and CWE-636 (Not Failing Securely ('Failing Open')), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
An unauthenticated attacker with network access to the 5G Service Based Interface can exploit this by sending a GET request to the affected endpoint with any arbitrary value in the influenceId path segment. Upon validation failure, the response includes sensitive details from arbitrary Traffic Influence Subscriptions, such as SUPIs/IMSIs, DNNs, S-NSSAIs, and callback URIs, enabling reconnaissance of subscriber information and network configurations.
The GitHub security advisory (GHSA-x5r2-r74c-3w28) notes that no patched version of free5GC was available at the time of publication on 2026-04-16. Security practitioners should restrict access to the 5G Service Based Interface, monitor for updates from the free5GC project, and consider implementing network-level controls until a fix is released.
Details
- CWE(s)