Free5GC UDR Service Leaks 5G Subscriber Identifiers

The National Vulnerability Database (NVD) recently disclosed a critical information disclosure vulnerability, CVE-2026-40245, affecting Free5GC versions 4.2.1 and below. Free5GC, an open-source Linux Foundation project for 5G mobile core networks, has a flaw in its Unified Data Repository (UDR) service that could expose sensitive subscriber identifiers.

According to the NVD, the handler for GET /nudr-dr/v2/application-data/influenceData/subs-to-notify fails to properly terminate execution after returning an HTTP 400 error for missing query parameters. This oversight allows the execution to continue into the processor function, which then queries the data repository and appends a full list of Traffic Influence Subscriptions, including Subscriber Permanent Identifier (SUPI) and International Mobile Subscriber Identity (IMSI) values, to the response body. An unauthenticated attacker with network access to the 5G Service Based Interface can exploit this with a single parameterless HTTP GET request. A similar bypass exists when sending a malformed snssai parameter, stemming from the same logical flaw.

This is a pretty big deal. The SUPI is the most sensitive subscriber identifier in 5G networks. Its exposure at the core network level fundamentally undermines the privacy guarantees of the 3GPP SUCI (Subscription Concealed Identifier) concealment mechanism. This isn’t just a minor info leak; it’s a direct shot at subscriber privacy within the 5G core. The NVD assigns this a CVSS score of 7.5 (HIGH), underscoring the severity of this unauthenticated information disclosure.