User Data Repository Flaw in Free5GC by Free5GC
CVE-2026-40343

6.9MEDIUM

Key Information:

Vendor: Free5gc
Status: Udr
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40343?

The User Data Repository (UDR) in Free5GC, utilized for 5G mobile core networks, exhibits a critical flaw in its handling of requests. Specifically, the POST handler for /nudr-dr/v2/policy-data/subs-to-notify fails to terminate processing when encountering request body retrieval or deserialization errors. This failure may result in the creation of Policy Data notification subscriptions based on undefined or partial input, potentially leading to unpredictable application behavior. Users are advised to monitor this issue as, at present, no patched version addresses the vulnerability.

Affected Version(s)

udr <= 1.4.2

References

https://github.com/free5gc/free5gc/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40343 Data

JSON

Free5gc

What is CVE-2026-40343?

Affected Version(s)

References

CVSS V4

Timeline