5G Core Network Vulnerability in Free5GC UDR Service
CVE-2026-40246

8.7HIGH

Key Information:

Vendor: Free5gc
Status: Free5gc
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-40246?

The UDR service of Free5GC, an open-source 5G core network implementation, contains a security flaw that permits unauthorized deletion of Traffic Influence Subscriptions. In affected versions, particularly 1.4.2 and below, the system fails to properly halt execution after a validation for a path segment called influenceId returns a 404 Not Found response. This oversight allows an unauthenticated attacker to exploit the 5G Service Based Interface, enabling them to delete arbitrary subscriptions by entering any value for influenceId. The misleading response doesn't provide the necessary indication of failure, thereby posing a significant threat to network integrity and service reliability.

Affected Version(s)

free5gc <= 1.4.2

References

https://github.com/free5gc/free5gc/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40246 Data

JSON

Free5gc

What is CVE-2026-40246?

Affected Version(s)

References

CVSS V4

Timeline