Medium severity5.8NVD Advisory· Published Apr 22, 2026· Updated Apr 23, 2026

CVE-2026-40343

Description

free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.2, a fail-open request handling flaw in the UDR service causes the /nudr-dr/v2/policy-data/subs-to-notify POST handler to continue processing requests even after request body retrieval or deserialization errors. This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior. As of time of publication, a patched version is not available.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/free5gc/udrGo	<= 1.4.2	—

Affected products

Free5gc/Free5gc
cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*
Range: <=4.2.1
Free5gc/Udr
cpe:2.3:a:free5gc:udr:*:*:*:*:*:go:*:*
Range: <=1.4.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-jwch-w7wh-gqjmghsaADVISORY
github.com/free5gc/free5gc/security/advisories/GHSA-jwch-w7wh-gqjmnvdVendor AdvisoryMitigationPatchWEB
nvd.nist.gov/vuln/detail/CVE-2026-40343ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.377
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000