CVE-2026-40248
Published: 16 April 2026
Summary
CVE-2026-40248 is a high-severity Improper Authorization (CWE-285) vulnerability in Free5Gc Free5Gc. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent unauthenticated attackers from creating or overwriting arbitrary Traffic Influence Subscriptions in the UDR service.
Requires secure error handling to terminate processing after validation failure, mitigating the fail-open behavior where execution continues despite HTTP 404 response.
Validates information inputs such as the influenceId path segment to block malformed requests that bypass authorization checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in exposed UDR service on 5G SBI allows unauthenticated remote creation/overwriting of arbitrary subscriptions (bypassing validation), directly enabling exploitation of public-facing application and stored data manipulation via injected notificationUri/SUPI values.
NVD Description
free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return…
more
after sending the HTTP 404 response when validation fails. Execution continues and the subscription is created or overwritten regardless. An unauthenticated attacker with access to the 5G Service Based Interface can create or overwrite arbitrary Traffic Influence Subscriptions, including injecting attacker-controlled notificationUri values and arbitrary SUPIs, by supplying any value for the influenceId path segment. A patched version was not available at the time of publication.
Deeper analysisAI
CVE-2026-40248 affects the UDR service in free5GC, an open-source implementation of the 5G core network, in versions 4.2.1 and below. The vulnerability resides in the handler for creating or updating Traffic Influence Subscriptions, which checks whether the influenceId path segment equals subs-to-notify but does not terminate execution after sending an HTTP 404 response upon validation failure. As a result, processing continues, enabling the subscription to be created or overwritten regardless of the validation outcome.
An unauthenticated attacker with access to the 5G Service Based Interface can exploit this flaw by supplying any arbitrary value for the influenceId path segment. Successful exploitation allows the creation or overwriting of arbitrary Traffic Influence Subscriptions, including the injection of attacker-controlled notificationUri values and arbitrary SUPIs. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), reflecting high integrity impact with no prerequisites beyond network access.
The GitHub security advisory (GHSA-jgq2-qv8v-5cmj) notes that no patched version was available at the time of publication on 2026-04-16. It associates the issue with CWE-285 (Improper Authorization) and CWE-636 (Not Failing Securely ('Failing Open')). Practitioners should restrict access to the 5G Service Based Interface and monitor the free5GC repository for patches.
Details
- CWE(s)