CVE-2026-40249: free5gc UDR fail-open request handling in PolicyDataSubsToNotifySubsIdPut may allow unintended subscription updates after input errors

April 14, 2026 (updated April 24, 2026)

A fail-open request handling flaw in the UDR service causes the /nudr-dr/v2/policy-data/subs-to-notify/{subsId} PUT handler to continue processing requests even after request body retrieval or deserialization errors.

This may allow unintended modification of existing Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior.

References

github.com/advisories/GHSA-gx38-8h33-pmxr
github.com/free5gc/free5gc/security/advisories/GHSA-gx38-8h33-pmxr
github.com/free5gc/udr
nvd.nist.gov/vuln/detail/CVE-2026-40249

Code Behaviors & Features

Detect and mitigate CVE-2026-40249 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →