CVE-2026-40247 - Vulnerability Analysis
HighCVSS: 7.5Last Updated: April 21, 2026
free5GC UDR - Information Disclosure
Published: April 16, 2026Updated: April 21, 2026PoC AvailableRemote Exploitable
Overview
free5GC UDR service <= 4.2.1 contains an information disclosure caused by improper handling of influenceId path segment in Traffic Influence Subscriptions, letting unauthenticated attackers read arbitrary subscription data via 5G Service Based Interface, exploit requires network access to the interface.
Severity & Score
Severity: High
CVSS Score: 7.5
Impact
Unauthenticated attackers can read sensitive subscriber data including SUPIs/IMSIs and callback URIs, risking privacy and data exposure.
Mitigation
Update to the latest version once a patch is available.
Related Resources
Details
- CVE ID
- CVE-2026-40247
- Severity
- High
- CVSS Score
- 7.5
- Type
- undefined
- Status
- confirmed
CWE
- CWE-285
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N