Vulnerability Description
Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling PATCH requests with an empty supi path parameter. Additionally, the UDM incorrectly translates the PATCH method to PUT when forwarding to UDR, indicating a deeper architectural issue. This leaks internal error handling behavior, making it difficult for clients to distinguish between client-side errors and server-side failures. The issue has been patched in version 1.4.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Free5Gc | Udm | < 1.4.2 |
Related Weaknesses (CWE)
References
- https://github.com/free5gc/free5gc/issues/784ExploitIssue TrackingPatch
- https://github.com/free5gc/free5gc/security/advisories/GHSA-5rvc-5cwx-g5x8PatchVendor Advisory
- https://github.com/free5gc/udm/pull/79Issue TrackingPatch
FAQ
What is CVE-2026-33192?
CVE-2026-33192 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a...
How severe is CVE-2026-33192?
CVE-2026-33192 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33192?
Check the references section above for vendor advisories and patch information. Affected products include: Free5Gc Udm.