CVE-2026-33192

UNKNOWN 0.0

free5GC UDM incorrectly returns 500 for empty supi path parameter in PATCH sdm-subscriptions reques

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling PATCH requests with an empty supi path parameter. Additionally, the UDM incorrectly translates the PATCH method to PUT when forwarding to UDR, indicating a deeper architectural issue. This leaks internal error handling behavior, making it difficult for clients to distinguish between client-side errors and server-side failures. The issue has been patched in version 1.4.2.

CWE	CWE-209
Vendor	free5gc
Product	free5gc
Published	Mar 20, 2026
Last Updated	Mar 20, 2026

Stay Ahead of the Next One

Get instant alerts for free5gc free5gc

Be the first to know when new unknown vulnerabilities affecting free5gc free5gc are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

free5gc / free5gc

< 1.4.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/free5gc/free5gc/security/advisories/GHSA-5rvc-5cwx-g5x8 github.com: https://github.com/free5gc/free5gc/issues/784 github.com: https://github.com/free5gc/udm/pull/79