{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/udr/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["free5GC","UDR","path-validation","information-disclosure"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAn improper path validation vulnerability in the free5gc UDR (User Data Repository) service allows unauthenticated attackers with network access to the 5G Service Based Interface (SBI) to read Traffic Influence Subscriptions. The vulnerability, present in versions up to 1.4.2, stems from a missing \u003ccode\u003ereturn\u003c/code\u003e statement after an HTTP 404 response is sent for an invalid path. This allows the request to continue processing and return subscription data despite the invalid path. An attacker can exploit this by providing an arbitrary value instead of the expected \u003ccode\u003esubs-to-notify\u003c/code\u003e path segment in a GET request. Successful exploitation allows the attacker to retrieve sensitive subscriber-related information, impacting deployments where the SBI is reachable by untrusted parties.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable free5GC UDR instance with a reachable SBI.\u003c/li\u003e\n\u003cli\u003eAttacker creates a Traffic Influence Subscription using a POST request to \u003ccode\u003e/nudr-dr/v2/application-data/influenceData/subs-to-notify\u003c/code\u003e to obtain a valid \u003ccode\u003esubscriptionId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe UDR service creates and stores the subscription, assigning a unique \u003ccode\u003esubscriptionId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a GET request to \u003ccode\u003e/nudr-dr/v2/application-data/influenceData/{influenceId}/{subscriptionId}\u003c/code\u003e with an invalid \u003ccode\u003einfluenceId\u003c/code\u003e (e.g., \u0026ldquo;WRONGID\u0026rdquo;) but the valid \u003ccode\u003esubscriptionId\u003c/code\u003e obtained in step 2.\u003c/li\u003e\n\u003cli\u003eThe UDR service\u0026rsquo;s \u003ccode\u003eHandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdGet\u003c/code\u003e function checks if \u003ccode\u003einfluenceId\u003c/code\u003e is not equal to \u0026ldquo;subs-to-notify\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe function incorrectly sends a \u0026ldquo;404 page not found\u0026rdquo; response but fails to terminate the request processing.\u003c/li\u003e\n\u003cli\u003eThe request processing continues, retrieving the subscription data associated with the valid \u003ccode\u003esubscriptionId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe UDR service returns the 404 error message along with the subscription object (containing sensitive information) in the same HTTP response body, disclosing subscriber data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows unauthenticated attackers to retrieve Traffic Influence Subscription objects without proper authorization. Successful exploitation results in the disclosure of sensitive subscriber-related information, including SUPIs/IMSIs, DNNs, S-NSSAIs, and callback notification URI values. This data can be used for further malicious activities such as subscriber tracking or unauthorized service access. Any free5GC deployment with a reachable SBI is potentially impacted. The severity is high due to the ease of exploitation and the sensitivity of the disclosed information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided by free5GC, which adds the missing \u003ccode\u003ereturn\u003c/code\u003e statement in \u003ccode\u003eNFs/udr/internal/sbi/api_datarepository.go\u003c/code\u003e to prevent further processing after sending the 404 response.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for GET requests to \u003ccode\u003e/nudr-dr/v2/application-data/influenceData/*\u003c/code\u003e that return a 404 status code along with a JSON body to detect potential exploitation attempts. Implement a detection rule similar to the \u0026ldquo;Detect free5GC UDR Path Traversal Attempt\u0026rdquo; Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eBlock the callback notification URI \u003ccode\u003ehttp://evil.com/notify\u003c/code\u003e listed in the IOC table at the network or application firewall to prevent potential callback exploitation.\u003c/li\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ego/github.com/free5gc/udr\u003c/code\u003e package to a version greater than 1.4.2 to remediate CVE-2026-40247.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T20:01:43Z","date_published":"2026-04-14T20:01:43Z","id":"/briefs/2026-04-free5gc-udr-path-validation/","summary":"An improper path validation vulnerability exists in the free5gc UDR service, allowing unauthenticated attackers with access to the 5G Service Based Interface (SBI) to read Traffic Influence Subscriptions.","title":"free5gc UDR Improper Path Validation Allows Unauthenticated Access to Traffic Influence Subscriptions","url":"https://feed.craftedsignal.io/briefs/2026-04-free5gc-udr-path-validation/"}],"language":"en","title":"CraftedSignal Threat Feed — UDR","version":"https://jsonfeed.org/version/1.1"}