Vulnerability Details CVE-2026-33192
Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling PATCH requests with an empty supi path parameter. Additionally, the UDM incorrectly translates the PATCH method to PUT when forwarding to UDR, indicating a deeper architectural issue. This leaks internal error handling behavior, making it difficult for clients to distinguish between client-side errors and server-side failures. The issue has been patched in version 1.4.2.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 1.0%
CVSS Severity
CVSS v3 Score 5.3
References
Products affected by CVE-2026-33192
-
cpe:2.3:a:free5gc:udm:1.0.0
-
cpe:2.3:a:free5gc:udm:1.0.1
-
cpe:2.3:a:free5gc:udm:1.0.2
-
cpe:2.3:a:free5gc:udm:1.1.0
-
cpe:2.3:a:free5gc:udm:1.1.1
-
cpe:2.3:a:free5gc:udm:1.2.0
-
cpe:2.3:a:free5gc:udm:1.2.1
-
cpe:2.3:a:free5gc:udm:1.2.2
-
cpe:2.3:a:free5gc:udm:1.2.3
-
cpe:2.3:a:free5gc:udm:1.2.4
-
cpe:2.3:a:free5gc:udm:1.2.5
-
cpe:2.3:a:free5gc:udm:1.3.0
-
cpe:2.3:a:free5gc:udm:1.3.1
-
cpe:2.3:a:free5gc:udm:1.3.2
-
cpe:2.3:a:free5gc:udm:1.4.0
-
cpe:2.3:a:free5gc:udm:1.4.1