CVE-2026-40246 - Vulnerability Analysis
HighCVSS: 7.5Last Updated: April 21, 2026
free5GC UDR - Broken Access Control
Published: April 16, 2026Updated: April 21, 2026PoC AvailableRemote Exploitable
Overview
free5GC UDR service <= 1.4.2 contains an authorization bypass caused by improper validation of influenceId path segment in delete Traffic Influence Subscriptions handler, letting unauthenticated attackers delete arbitrary subscriptions via 5G Service Based Interface, exploit requires network access to the interface.
Severity & Score
Severity: High
CVSS Score: 7.5
Impact
Unauthenticated attackers can delete arbitrary Traffic Influence Subscriptions, disrupting network operations and service availability.
Mitigation
Update to the latest version once a patch is available.
Related Resources
Details
- CVE ID
- CVE-2026-40246
- Severity
- High
- CVSS Score
- 7.5
- Type
- broken_access_control
- Status
- confirmed
CWE
- CWE-285
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N