free5GC UDR, Information Disclosure, CVE-2026-40245 (High)

Listen to this Post

The vulnerability resides in the free5GC UDR’s handling of HTTP GET requests to the `/nudr-dr/v2/application-data/influenceData/subs-to-notify` endpoint. The function `HandleApplicationDataInfluenceDataSubsToNotifyGet` in `./free5gc_4-2-1/free5gc/NFs/udr/internal/sbi/api_datarepository.go` (around line 2793) is responsible for validating the request.
The handler checks if the required query parameters (dnn, snssai, internalGroupId, or supi) are all empty. If they are, it correctly builds a `problemDetails` structure and calls `c.JSON(http.StatusBadRequest, problemDetails)` to send a 400 error.
However, the critical flaw is that after sending this error response, the function does not execute a `return` statement. Consequently, the execution flow continues and calls s.Processor().ApplicationDataInfluenceDataSubsToNotifyGetProcedure. This procedure ignores the error condition and proceeds to query the data repository. It then writes the entire list of Traffic Influence Subscriptions, including the sensitive `supis` (SUPI/IMSI) fields, into the HTTP response body.
As a result, the client receives a 400 Bad Request status code, but the body contains both the error message and the full, unredacted list of subscriber data. The root cause is the missing `return` statement after sending the error response, which allows the logic to fall through to the data-fetching routine.
Platform: free5GC core
Version: up to 4.2.1
Vulnerability : unauthenticated SUPI disclosure
Severity: High
date: 2026-04-14

Prediction: Patch released 2026-04-14

Analytics under What Undercode Say:

The following `bash` commands can be used to test for this vulnerability or to verify the patch.

Test for vulnerability: Unauthenticated GET request to leak SUPIs
curl -v "http://<udr-host>:<port>/nudr-dr/v2/application-data/influenceData/subs-to-notify"
Expected vulnerable response (HTTP 400 with body containing SUPI/IMSI):
{"status":400,"detail":"At least one of DNNs, S-NSSAIs, Internal Group IDs or SUPIs shall be provided"}
[{"dnns":["internet"],"snssais":[{"sst":1,"sd":"000001"}],"supis":["imsi-222777483957498"],...}]
Expected patched response (HTTP 400 with only error message):
{"status":400,"detail":"At least one of DNNs, S-NSSAIs, Internal Group IDs or SUPIs shall be provided"}
Alternatively, sending a malformed 'snssai' parameter also triggers the leak
curl -v "http://<udr-host>:<port>/nudr-dr/v2/application-data/influenceData/subs-to-notify?snssai=invalidjson"

Exploit:

An attacker with network access to the 5G Core’s Service Based Interface (SBI) can send a single unauthenticated HTTP GET request without any parameters to the vulnerable endpoint. The server will respond with a 400 error but include the full list of subscriber SUPIs/IMSIs in the body. This allows an attacker to enumerate all subscribers in the core network without any prior knowledge or credentials.

Protection from this CVE:

  1. Apply the Official Patch: The vulnerability is fixed in free5GC by adding two missing `return` statements in the `api_datarepository.go` file. Upgrade to the patched version or manually apply the fix from `free5gc/udr` pull request 56.
  2. Network Segmentation: Restrict access to the SBI interface. Ensure it is not exposed to untrusted networks. Use strict firewall rules to allow only trusted Network Functions (NFs) to communicate with the UDR.
  3. Monitor Logs: Monitor access logs for unexpected GET requests to the `/nudr-dr/v2/application-data/influenceData/subs-to-notify` endpoint, especially those lacking required parameters.

Impact:

This vulnerability allows an unauthenticated attacker to retrieve the permanent subscriber identifiers (SUPI/IMSI) of all users on the 5G core network. This directly undermines the 3GPP privacy mechanism (SUCI), which is designed to conceal the SUPI over the air. The exposed SUPI can be used for subscriber tracking, identity theft, and further attacks on the core network. Any free5GC deployment where the SBI is accessible by an untrusted party is critically impacted.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top