{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27642", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T22:02:30.029Z", "datePublished": "2026-02-24T00:18:56.360Z", "dateUpdated": "2026-02-26T14:33:35.020Z"}, "containers": {"cna": {"title": "free5GC has Improper Input Validation in UDM UEAU Service", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-h4wg-rp7m-8xx4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-h4wg-rp7m-8xx4"}, {"name": "https://github.com/free5gc/free5gc/issues/749", "tags": ["x_refsource_MISC"], "url": "https://github.com/free5gc/free5gc/issues/749"}, {"name": "https://github.com/free5gc/udm/pull/75", "tags": ["x_refsource_MISC"], "url": "https://github.com/free5gc/udm/pull/75"}, {"name": "https://github.com/free5gc/udm/commit/a7af2321ddea6368c43835f90f6d1b9d67dd2ea1", "tags": ["x_refsource_MISC"], "url": "https://github.com/free5gc/udm/commit/a7af2321ddea6368c43835f90f6d1b9d67dd2ea1"}], "affected": [{"vendor": "free5gc", "product": "udm", "versions": [{"version": "<= 1.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T00:18:56.360Z"}, "descriptions": [{"lang": "en", "value": "free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, remote attackers can inject control characters (e.g., %00) into the supi parameter, triggering internal URL parsing errors (net/url: invalid control character). This exposes system-level error details and can be used for service fingerprinting. All deployments of free5GC using the UDM Nudm_UEAU service may be affected. free5gc/udm pull request 75 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended."}], "source": {"advisory": "GHSA-h4wg-rp7m-8xx4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T14:32:55.663657Z", "id": "CVE-2026-27642", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:33:35.020Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27642", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T14:32:55.663657Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:33:15.576Z"}}], "cna": {"title": "free5GC has Improper Input Validation in UDM UEAU Service", "source": {"advisory": "GHSA-h4wg-rp7m-8xx4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "free5gc", "product": "udm", "versions": [{"status": "affected", "version": "<= 1.4.1"}]}], "references": [{"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-h4wg-rp7m-8xx4", "name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-h4wg-rp7m-8xx4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/free5gc/free5gc/issues/749", "name": "https://github.com/free5gc/free5gc/issues/749", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/free5gc/udm/pull/75", "name": "https://github.com/free5gc/udm/pull/75", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/free5gc/udm/commit/a7af2321ddea6368c43835f90f6d1b9d67dd2ea1", "name": "https://github.com/free5gc/udm/commit/a7af2321ddea6368c43835f90f6d1b9d67dd2ea1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, remote attackers can inject control characters (e.g., %00) into the supi parameter, triggering internal URL parsing errors (net/url: invalid control character). This exposes system-level error details and can be used for service fingerprinting. All deployments of free5GC using the UDM Nudm_UEAU service may be affected. free5gc/udm pull request 75 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T00:18:56.360Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27642", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:33:35.020Z", "dateReserved": "2026-02-20T22:02:30.029Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-24T00:18:56.360Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*", "matchCriteriaId": "D54382D2-F895-4384-9D82-597709AAE7A7", "versionEndIncluding": "1.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, remote attackers can inject control characters (e.g., %00) into the supi parameter, triggering internal URL parsing errors (net/url: invalid control character). This exposes system-level error details and can be used for service fingerprinting. All deployments of free5GC using the UDM Nudm_UEAU service may be affected. free5gc/udm pull request 75 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended."}, {"lang": "es", "value": "free5gc UDM proporciona Gesti\u00f3n Unificada de Datos (UDM) para free5GC, un proyecto de c\u00f3digo abierto para redes centrales m\u00f3viles de quinta generaci\u00f3n (5G). En versiones hasta la 1.4.1 inclusive, atacantes remotos pueden inyectar caracteres de control (p. ej., %00) en el par\u00e1metro supi, desencadenando errores internos de an\u00e1lisis de URL (net/url: invalid control character). Esto expone detalles de errores a nivel de sistema y puede utilizarse para el fingerprinting de servicios. Todas las implementaciones de free5GC que utilizan el servicio UDM Nudm_UEAU pueden verse afectadas. free5gc/udm pull request 75 contiene una correcci\u00f3n para el problema. No hay una soluci\u00f3n alternativa directa disponible a nivel de aplicaci\u00f3n. Se recomienda aplicar el parche oficial."}], "id": "CVE-2026-27642", "lastModified": "2026-02-25T16:44:26.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T01:16:15.390", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/free5gc/free5gc/issues/749"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-h4wg-rp7m-8xx4"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/free5gc/udm/commit/a7af2321ddea6368c43835f90f6d1b9d67dd2ea1"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/free5gc/udm/pull/75"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "udm", "source": "cna", "vendor": "free5gc"}, "product": "udm", "vendor": "free5gc"}], "analysis": {"en": {"generated_at": "2026-04-17T16:08:05.357083+00:00", "value": {"mitigation_remediation": ["Apply the official patch from free5gc\u2019s pull request\u00a075 to upgrade UDM beyond version\u00a01.4.1.", "Configure firewall or API\u2011gateway rules to limit the UDM UEAU endpoint to trusted IP ranges or internal networks until the patch is applied.", "Use a reverse proxy to strip or encode control characters from supi parameters before they reach the UDM service, thereby preventing malformed requests from reaching the vulnerable code."], "summary": {"action": "Patch", "impact": "Information disclosure and service fingerprinting"}, "threat_synthesis": {"affected_systems": "All free5GC deployments running UDM versions up to and including 1.4.1 are affected, as the issue originates in the Nudm_UEAU service implementation. To mitigate, use a version of UDM newer than 1.4.1 or apply the referenced patch.", "description_and_impact": "The vulnerability in the free5GC Unified Data Management (UDM) service allows remote attackers to inject control characters such as %00 into the supi parameter. This triggers internal URL parsing errors, causing the application to expose system\u2011level error details that can be leveraged for service fingerprinting. The flaw is a classic instance of poor input validation (CWE\u201120).", "risk_and_exploitability": "The CVSS base score of 6.6 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, reinforcing that it is currently low risk. The attack vector is likely remote, requiring an attacker to send a crafted HTTP request to the UDM UEAU endpoint to trigger the error and gain exposed details."}}}}, "created": "2026-02-24T09:54:23.852202+00:00", "updated": "2026-04-17T16:15:22.642985+00:00", "vendors": ["free5gc", "free5gc$PRODUCT$udm"]}