{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40343", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T22:50:01.358Z", "datePublished": "2026-04-21T23:47:33.125Z", "dateUpdated": "2026-04-21T23:47:33.125Z"}, "containers": {"cna": {"title": "free5GC UDR: Fail-open handling in PolicyDataSubsToNotifyPost allows unintended subscription creation", "problemTypes": [{"descriptions": [{"cweId": "CWE-754", "lang": "en", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jwch-w7wh-gqjm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jwch-w7wh-gqjm"}], "affected": [{"vendor": "free5gc", "product": "udr", "versions": [{"version": "<= 1.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T23:47:33.125Z"}, "descriptions": [{"lang": "en", "value": "free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.2, a fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify` POST handler to continue processing requests even after request body retrieval or deserialization errors. This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior. As of time of publication, a patched version is not available."}], "source": {"advisory": "GHSA-jwch-w7wh-gqjm", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.2, a fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify` POST handler to continue processing requests even after request body retrieval or deserialization errors. This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior. As of time of publication, a patched version is not available."}], "id": "CVE-2026-40343", "lastModified": "2026-04-22T00:16:27.670", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T00:16:27.670", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jwch-w7wh-gqjm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "udr", "source": "cna", "vendor": "free5gc"}, "product": "udr", "vendor": "free5gc"}], "analysis": {"en": {"generated_at": "2026-04-22T06:09:09.407861+00:00", "value": {"mitigation_remediation": ["Restrict the /nudr-dr/v2/policy-data/subs-to-notify service to trusted IP ranges or subnets using firewall rules to prevent unauthorized access.", "Implement network segmentation so that only authorized core network components can reach the UDR service, thereby limiting the attack surface for the vulnerable endpoint.", "Enable detailed logging and alerting for attempts to create subscriptions via the affected endpoint, and review logs regularly to detect misuse or abnormal activity."], "summary": {"action": "Monitor", "impact": "Unauthorized creation of Policy Data notification subscriptions"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the free5gc UDR component in all releases up to and including version 1.4.2. No later releases have been identified as remedied at the time of publication.", "description_and_impact": "The flaw is a fail\u2011open handling bug in the UDR service that allows the /nudr-dr/v2/policy-data/subs-to-notify POST handler to continue processing requests after the request body has failed to be retrieved or deserialized. This can lead to unintentionally created subscriptions with invalid, empty, or partially processed input, potentially giving an attacker the ability to register unexpected notifications or alter data flow in the core network.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a medium severity risk. EPSS data is not available and the issue is not listed in the CISA KEV catalog, so current exploitation data is limited. The likely attack vector is remote, as the vulnerable endpoint is accessible over the network within the 5G core, allowing an attacker who can reach the UDR service to send crafted HTTP POST requests that trigger the fail\u2011open logic."}}}}, "created": "2026-04-22T01:30:05.069503+00:00", "updated": "2026-04-22T06:15:10.413836+00:00", "vendors": ["free5gc", "free5gc$PRODUCT$udr"]}