{"id":"CVE-2026-40249","summary":"free5gc UDR fail-open request handling in PolicyDataSubsToNotifySubsIdPut may allow unintended subscription updates after input errors","details":"free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the PUT handler for updating Policy Data notification subscriptions at /nudr-dr/v2/policy-data/subs-to-notify/{subsId} does not return after request body retrieval or deserialization errors. Although HTTP 500 or 400 error responses are sent, execution continues and the processor is invoked with a potentially uninitialized or partially initialized PolicyDataSubscription object. This fail-open behavior may allow unintended modification of existing Policy Data notification subscriptions with invalid or empty input, depending on downstream processor and storage behavior. A patched version was not available at the time of publication.","aliases":["GHSA-gx38-8h33-pmxr","GO-2026-5407"],"modified":"2026-07-08T08:13:12.405523475Z","published":"2026-04-16T21:59:36.282Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-636","CWE-754"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40249.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40249.json"},{"type":"ADVISORY","url":"https://github.com/free5gc/free5gc/security/advisories/GHSA-gx38-8h33-pmxr"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40249"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/free5gc/free5gc","events":[{"introduced":"0"},{"last_affected":"52d9545faa42efca71b1567cf7d5c5afca79f490"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE"],"cpe":"cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"4.2.1"}]}}],"versions":["v4.2.1","v4.2.0","v4.1.0","v4.0.1","v4.0.0","v3.4.5","v3.4.4","v3.4.3","v3.4.2","v3.4.1","v3.4.0","v3.3.0","v3.2.1","v3.2.0","v3.1.1","v3.1.0","v3.0.7","v3.0.6","v3.0.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40249.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}]}