Cyber Resilience

CVE-2026-40248

HighPublic PoC

Published: 16 April 2026

Published
16 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40248 is a high-severity Improper Authorization (CWE-285) vulnerability in Free5Gc Free5Gc. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-40248 affects the UDR service in free5GC, an open-source implementation of the 5G core network, in versions 4.2.1 and below. The vulnerability resides in the handler for creating or updating Traffic Influence Subscriptions, which checks whether the influenceId path segment equals subs-to-notify but does not terminate execution after sending an HTTP 404 response upon validation failure. As a result, processing continues, enabling the subscription to be created or overwritten regardless of the validation outcome.

An unauthenticated attacker with access to the 5G Service Based Interface can exploit this flaw by supplying any arbitrary value for the influenceId path segment. Successful exploitation allows the creation or overwriting of arbitrary Traffic Influence Subscriptions, including the injection of attacker-controlled notificationUri values and arbitrary SUPIs. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), reflecting high integrity impact with no prerequisites beyond network access.

The GitHub security advisory (GHSA-jgq2-qv8v-5cmj) notes that no patched version was available at the time of publication on 2026-04-16. It associates the issue with CWE-285 (Improper Authorization) and CWE-636 (Not Failing Securely ('Failing Open')). Practitioners should restrict access to the 5G Service Based Interface and monitor the free5GC repository for patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return…

more

after sending the HTTP 404 response when validation fails. Execution continues and the subscription is created or overwritten regardless. An unauthenticated attacker with access to the 5G Service Based Interface can create or overwrite arbitrary Traffic Influence Subscriptions, including injecting attacker-controlled notificationUri values and arbitrary SUPIs, by supplying any value for the influenceId path segment. A patched version was not available at the time of publication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Vulnerability in exposed UDR service on 5G SBI allows unauthenticated remote creation/overwriting of arbitrary subscriptions (bypassing validation), directly enabling exploitation of public-facing application and stored data manipulation via injected notificationUri/SUPI values.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40247Same product: Free5Gc Free5Gc
CVE-2026-40246Same product: Free5Gc Free5Gc
CVE-2026-44328Same product: Free5Gc Free5Gc
CVE-2026-42459Same product: Free5Gc Free5Gc
CVE-2026-44329Same product: Free5Gc Free5Gc
CVE-2026-44315Same product: Free5Gc Free5Gc
CVE-2026-44316Same product: Free5Gc Free5Gc
CVE-2026-44326Same product: Free5Gc Free5Gc
CVE-2026-44327Same product: Free5Gc Free5Gc
CVE-2026-42083Same product: Free5Gc Free5Gc

Affected Assets

free5gc
free5gc
≤ 4.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to prevent unauthenticated attackers from creating or overwriting arbitrary Traffic Influence Subscriptions in the UDR service.

prevent

Requires secure error handling to terminate processing after validation failure, mitigating the fail-open behavior where execution continues despite HTTP 404 response.

prevent

Validates information inputs such as the influenceId path segment to block malformed requests that bypass authorization checks.

References