{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33192", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T22:16:36.721Z", "datePublished": "2026-03-20T08:09:07.459Z", "dateUpdated": "2026-03-20T12:21:06.644Z"}, "containers": {"cna": {"title": "free5GC UDM incorrectly returns 500 for empty supi path parameter in PATCH sdm-subscriptions reques", "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "lang": "en", "description": "CWE-209: Generation of Error Message Containing Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-5rvc-5cwx-g5x8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-5rvc-5cwx-g5x8"}, {"name": "https://github.com/free5gc/free5gc/issues/784", "tags": ["x_refsource_MISC"], "url": "https://github.com/free5gc/free5gc/issues/784"}, {"name": "https://github.com/free5gc/udm/pull/79", "tags": ["x_refsource_MISC"], "url": "https://github.com/free5gc/udm/pull/79"}], "affected": [{"vendor": "free5gc", "product": "free5gc", "versions": [{"version": "< 1.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:09:07.459Z"}, "descriptions": [{"lang": "en", "value": "Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling PATCH requests with an empty supi path parameter. Additionally, the UDM incorrectly translates the PATCH method to PUT when forwarding to UDR, indicating a deeper architectural issue. This leaks internal error handling behavior, making it difficult for clients to distinguish between client-side errors and server-side failures. The issue has been patched in version 1.4.2."}], "source": {"advisory": "GHSA-5rvc-5cwx-g5x8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T12:19:59.205158Z", "id": "CVE-2026-33192", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T12:21:06.644Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33192", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T12:19:59.205158Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T12:20:12.615Z"}}], "cna": {"title": "free5GC UDM incorrectly returns 500 for empty supi path parameter in PATCH sdm-subscriptions reques", "source": {"advisory": "GHSA-5rvc-5cwx-g5x8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "free5gc", "product": "free5gc", "versions": [{"status": "affected", "version": "< 1.4.2"}]}], "references": [{"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-5rvc-5cwx-g5x8", "name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-5rvc-5cwx-g5x8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/free5gc/free5gc/issues/784", "name": "https://github.com/free5gc/free5gc/issues/784", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/free5gc/udm/pull/79", "name": "https://github.com/free5gc/udm/pull/79", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling PATCH requests with an empty supi path parameter. Additionally, the UDM incorrectly translates the PATCH method to PUT when forwarding to UDR, indicating a deeper architectural issue. This leaks internal error handling behavior, making it difficult for clients to distinguish between client-side errors and server-side failures. The issue has been patched in version 1.4.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209: Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:09:07.459Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33192", "state": "PUBLISHED", "dateUpdated": "2026-03-20T12:21:06.644Z", "dateReserved": "2026-03-17T22:16:36.721Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T08:09:07.459Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling PATCH requests with an empty supi path parameter. Additionally, the UDM incorrectly translates the PATCH method to PUT when forwarding to UDR, indicating a deeper architectural issue. This leaks internal error handling behavior, making it difficult for clients to distinguish between client-side errors and server-side failures. The issue has been patched in version 1.4.2."}], "id": "CVE-2026-33192", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T09:16:16.230", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/free5gc/free5gc/issues/784"}, {"source": "security-advisories@github.com", "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-5rvc-5cwx-g5x8"}, {"source": "security-advisories@github.com", "url": "https://github.com/free5gc/udm/pull/79"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T09:23:42.480335+00:00", "value": {"mitigation_remediation": ["Upgrade free5gc to version 1.4.2 or later to apply the vendor patch that corrects the status\u2011code translation and method mapping.", "Verify post\u2011upgrade that the UDM no longer returns 500 errors for empty SUPI path parameters and that PATCH requests are forwarded correctly to the UDR.", "If an immediate upgrade is not possible, restrict external network access to the UDM API so that only trusted devices can send PATCH requests, reducing the attack surface."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Affected systems include the free5gc:free5gc product, specifically all releases before version 1.4.2. The CVE advisory notes that the issue is fixed by upgrading to free5gc 1.4.2 or later.", "description_and_impact": "The vulnerability exists in the free5GC UDM component, which, in versions prior to 1.4.2, incorrectly converts a downstream 400 Bad Request (originating from the UDR) into a 500 Internal Server Error when handling PATCH requests that contain an empty SUPI path parameter. Additionally, the UDM erroneously maps the PATCH method to PUT when forwarding to the UDR, highlighting deeper architectural flaws. This mishandling leaks internal error handling details, preventing clients from distinguishing between client\u2011side and server\u2011side failures and potentially exposing sensitive operational information per CWE-209.", "risk_and_exploitability": "With a CVSS score of 8.7, the flaw is categorized as high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The exploit appears to require remote access to the UDM API; an attacker can trigger the flaw by issuing a PATCH request to the SDM subscriptions endpoint with an empty SUPI path. The required preconditions are the presence of the vulnerable UDM instance and the ability to send crafted HTTP requests to it."}}}}, "created": "2026-03-20T10:36:40.787249+00:00", "updated": "2026-03-20T10:36:40.787275+00:00", "vendors": []}