CVE-2026-40245: free5gc UDR nudr-dr influenceData/subs-to-notify leaks SUPI in error response body without authentication

April 14, 2026 (updated April 16, 2026)

An information disclosure vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface (SBI) to retrieve stored subscriber identifiers (SUPI/IMSI) with a single HTTP GET request requiring no parameters or credentials.

References

github.com/advisories/GHSA-wrwh-rpq4-87hf
github.com/free5gc/free5gc/security/advisories/GHSA-wrwh-rpq4-87hf
github.com/free5gc/udr
nvd.nist.gov/vuln/detail/CVE-2026-40245

Code Behaviors & Features

Detect and mitigate CVE-2026-40245 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →