CVE-2026-33065

EPSS 0.05%

free5GC UDM incorrectly returns 500 for empty supi path parameter in DELETE sdm-subscriptions request

Published: 3/18/2026Modified: 3/23/2026

Description

**Impact** This is an Improper Error Handling vulnerability with Information Exposure implications. - **Security Impact**: The UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling DELETE requests with an empty `supi` path parameter. This leaks internal error handling behavior and makes it difficult for clients to distinguish between client-side errors and server-side failures. - **Functional Impact**: When a client sends a DELETE request with an empty `supi` (e.g., double slashes `//` in URL path), the UDM forwards the malformed request to UDR, which correctly returns 400. However, UDM propagates this as 500 SYSTEM_FAILURE instead of returning the appropriate 400 error to the client. This violates REST API best practices for DELETE operations. - **Affected Parties**: All deployments of free5GC v4.0.1 using the UDM Nudm_SDM service with DELETE operations on sdm-subscriptions endpoint. **Patches** Yes, the issue has been patched. The fix is implemented in PR free5gc/udm#79. Users should upgrade to the next release of free5GC that includes this commit. **Workarounds** There is no direct workaround at the application level. The recommendation is to apply the provided patch or implement API gateway-level validation to reject DELETE requests with empty path parameters before they reach UDM.

Affected packages (2)

CVSS scores

SourceVersionSeverityVector
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References (6)