Description
Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling DELETE requests with an empty supi path parameter. This leaks internal error handling behavior and makes it difficult for clients to distinguish between client-side errors and server-side failures. When a client sends a DELETE request with an empty supi (e.g., double slashes // in URL path), the UDM forwards the malformed request to UDR, which correctly returns 400. However, UDM propagates this as 500 SYSTEM_FAILURE instead of returning the appropriate 400 error to the client. This violates REST API best practices for DELETE operations. The issue has been patched in version 1.4.2.
Published: 2026-03-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: API error misclassification and potential information leakage
Action: Apply patch
AI Analysis

Impact

The vulnerability occurs when Free5GC’s Unified Data Management (UDM) component receives a DELETE request that contains an empty subscriber profile identifier (supi) in the URL path. Instead of propagating the downstream 400 Bad Request returned by the User Data Repository (UDR) back to the client, the UDM mistakenly converts it into a 500 Internal Server Error. This misreporting violates REST API best practices and leaks internal error handling behavior, making it difficult for clients to distinguish between client‑side mistakes and genuine server failures. The flaw does not provide an attacker with direct code execution or data exfiltration capabilities; it primarily affects HTTP status code accuracy and diagnostic clarity.

Affected Systems

Free5GC’s Unified Data Management service, version numbers prior to 1.4.2, is affected. The fix was applied in version 1.4.2 and later releases. Users running any earlier release of the UDM component should upgrade to a version that includes the patch.

Risk and Exploitability

With a CVSS score of 6.9 the vulnerability is considered moderate. The EPSS score is less than 1%, and it is not listed in the CISA KEV catalog, indicating low exploitation probability. An attacker can trigger the defect by sending a crafted DELETE request with an empty supi, but the impact is limited to misrepresented error codes and potential information disclosure through internal server messages. There are no known public exploits or remote code execution vectors associated with this issue.

Generated by OpenCVE AI on March 23, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Free5GC UDM component to version 1.4.2 or later to receive the applied fix
  • Verify that the UDM deployment uses the corrected version by checking the release notes or running a version query
  • If an immediate update is not possible, implement network filtering or rate limiting to block DELETE requests with empty URL path components
  • Review server logs for anomalous 500 status codes that may indicate attempts to exploit the error handling behavior

Generated by OpenCVE AI on March 23, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-958m-gxmc-mccm free5GC UDM incorrectly returns 500 for empty supi path parameter in DELETE sdm-subscriptions request
History

Mon, 23 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc udm
CPEs cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*
Vendors & Products Free5gc udm
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Fri, 20 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
Description Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling DELETE requests with an empty supi path parameter. This leaks internal error handling behavior and makes it difficult for clients to distinguish between client-side errors and server-side failures. When a client sends a DELETE request with an empty supi (e.g., double slashes // in URL path), the UDM forwards the malformed request to UDR, which correctly returns 400. However, UDM propagates this as 500 SYSTEM_FAILURE instead of returning the appropriate 400 error to the client. This violates REST API best practices for DELETE operations. The issue has been patched in version 1.4.2.
Title free5GC UDM incorrectly returns 500 for empty supi path parameter in DELETE sdm-subscriptions request
Weaknesses CWE-209
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Free5gc Free5gc Udm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T12:49:42.321Z

Reserved: 2026-03-17T19:27:06.343Z

Link: CVE-2026-33065

cve-icon Vulnrichment

Updated: 2026-03-20T12:44:42.503Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T08:16:12.430

Modified: 2026-03-23T18:32:57.070

Link: CVE-2026-33065

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:05Z

Weaknesses