{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33192", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T22:16:36.721Z", "datePublished": "2026-03-20T08:09:07.459Z", "dateUpdated": "2026-03-20T12:21:06.644Z"}, "containers": {"cna": {"title": "free5GC UDM incorrectly returns 500 for empty supi path parameter in PATCH sdm-subscriptions reques", "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "lang": "en", "description": "CWE-209: Generation of Error Message Containing Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-5rvc-5cwx-g5x8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-5rvc-5cwx-g5x8"}, {"name": "https://github.com/free5gc/free5gc/issues/784", "tags": ["x_refsource_MISC"], "url": "https://github.com/free5gc/free5gc/issues/784"}, {"name": "https://github.com/free5gc/udm/pull/79", "tags": ["x_refsource_MISC"], "url": "https://github.com/free5gc/udm/pull/79"}], "affected": [{"vendor": "free5gc", "product": "free5gc", "versions": [{"version": "< 1.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:09:07.459Z"}, "descriptions": [{"lang": "en", "value": "Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling PATCH requests with an empty supi path parameter. Additionally, the UDM incorrectly translates the PATCH method to PUT when forwarding to UDR, indicating a deeper architectural issue. This leaks internal error handling behavior, making it difficult for clients to distinguish between client-side errors and server-side failures. The issue has been patched in version 1.4.2."}], "source": {"advisory": "GHSA-5rvc-5cwx-g5x8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T12:19:59.205158Z", "id": "CVE-2026-33192", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T12:21:06.644Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33192", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T12:19:59.205158Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T12:20:12.615Z"}}], "cna": {"title": "free5GC UDM incorrectly returns 500 for empty supi path parameter in PATCH sdm-subscriptions reques", "source": {"advisory": "GHSA-5rvc-5cwx-g5x8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "free5gc", "product": "free5gc", "versions": [{"status": "affected", "version": "< 1.4.2"}]}], "references": [{"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-5rvc-5cwx-g5x8", "name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-5rvc-5cwx-g5x8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/free5gc/free5gc/issues/784", "name": "https://github.com/free5gc/free5gc/issues/784", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/free5gc/udm/pull/79", "name": "https://github.com/free5gc/udm/pull/79", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling PATCH requests with an empty supi path parameter. Additionally, the UDM incorrectly translates the PATCH method to PUT when forwarding to UDR, indicating a deeper architectural issue. This leaks internal error handling behavior, making it difficult for clients to distinguish between client-side errors and server-side failures. The issue has been patched in version 1.4.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209: Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:09:07.459Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33192", "state": "PUBLISHED", "dateUpdated": "2026-03-20T12:21:06.644Z", "dateReserved": "2026-03-17T22:16:36.721Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T08:09:07.459Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*", "matchCriteriaId": "C4C4212B-95F4-49DD-B6DA-F6DF4D8D7257", "versionEndExcluding": "1.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling PATCH requests with an empty supi path parameter. Additionally, the UDM incorrectly translates the PATCH method to PUT when forwarding to UDR, indicating a deeper architectural issue. This leaks internal error handling behavior, making it difficult for clients to distinguish between client-side errors and server-side failures. The issue has been patched in version 1.4.2."}, {"lang": "es", "value": "Free5GC es un proyecto de c\u00f3digo abierto de la Linux Foundation para redes centrales m\u00f3viles de quinta generaci\u00f3n (5G). En versiones anteriores a la 1.4.2, el UDM convierte incorrectamente un 400 Bad Request descendente (del UDR) en un 500 Internal Server Error al manejar solicitudes PATCH con un par\u00e1metro de ruta supi vac\u00edo. Adem\u00e1s, el UDM traduce incorrectamente el m\u00e9todo PATCH a PUT al reenviar al UDR, lo que indica un problema arquitect\u00f3nico m\u00e1s profundo. Esto filtra el comportamiento interno de manejo de errores, dificultando a los clientes distinguir entre errores del lado del cliente y fallos del lado del servidor. El problema ha sido parcheado en la versi\u00f3n 1.4.2."}], "id": "CVE-2026-33192", "lastModified": "2026-03-23T18:32:46.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T09:16:16.230", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://github.com/free5gc/free5gc/issues/784"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-5rvc-5cwx-g5x8"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/free5gc/udm/pull/79"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "free5gc", "source": "cna", "vendor": "free5gc"}, "product": "free5gc", "vendor": "free5gc"}], "analysis": {"en": {"generated_at": "2026-03-23T19:24:23.415426+00:00", "value": {"mitigation_remediation": ["Upgrade free5GC to version 1.4.2 or later, where the bug is fixed.", "Verify that the UDM service now validates the supi parameter and returns a proper 400 status when it is missing.", "Apply regular security updates and monitor free5GC release notes for related changes."], "summary": {"action": "Immediate Patch", "impact": "Information Leakage"}, "threat_synthesis": {"affected_systems": "All releases of free5GC prior to version 1.4.2, specifically the UDM service identified by the CPES cpe:2.3:a:free5gc:udm. The vendor product is free5gc:free5gc. No sub\u2011release details are provided beyond the major version, so any build before 1.4.2 is considered impacted.", "description_and_impact": "The UDM component of free5GC mishandles PATCH requests to update sdm-subscriptions when the supi path parameter is empty. Instead of propagating the downstream 400 Bad Request from the UDR, it converts the response into a 500 Internal Server Error. This reversal exposes internal error\u2011handling behavior, preventing clients from distinguishing between client\u2011side errors and server failures. The weakness is classed as CWE\u2011209 Information Exposure.", "risk_and_exploitability": "The CVSS score of 8.7 marks the vulnerability as high severity, while an EPSS score of less than 1% and absence from KEV suggest limited current exploitation. The flaw can be triggered through external network traffic by sending a PATCH request with an empty supi value, leading to error\u2011handling leakage. Attackers could map server responses to infer service behavior, making the impact significant in reachable environments."}}}}, "created": "2026-03-20T10:36:40.787249+00:00", "updated": "2026-03-25T14:29:56.438951+00:00", "vendors": ["free5gc", "free5gc$PRODUCT$free5gc"]}