CVE-2026-40343

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N                                    

Vulnerability Description

free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.2, a fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify` POST handler to continue processing requests even after request body retrieval or deserialization errors. This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior. As of time of publication, a patched version is not available.

Vulnerability Details

Published Date

April 21, 2026

Last Modified

April 23, 2026

CWE ID

CWE-754

Source

GitHub

Vendor

Product

github.com/free5gc/udr

External References

https://github.com/free5gc/free5gc/security/advisories/GHSA-jwch-w7wh-gqjm
https://github.com/advisories/GHSA-jwch-w7wh-gqjm

CVE-2026-40343

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment