5G Mobile Core Network Vulnerability in Free5GC by Linux Foundation
CVE-2026-33192

8.7HIGH

Key Information:

Vendor

Free5gc

Status
Free5gc
Vendor
CVE Published:
20 March 2026

What is CVE-2026-33192?

Free5GC, an open-source project for 5G mobile core networks, contains a vulnerability where the User Data Management (UDM) component mishandles PATCH requests with an empty 'supi' path parameter. Instead of properly responding with a client-side error (400 Bad Request), it incorrectly returns a server error (500 Internal Server Error). This misbehavior indicates a potential architectural flaw, as the UDM inappropriately converts PATCH requests to PUT requests when communicating with the User Data Repository (UDR). Such issues can lead to confusion for clients unable to differentiate between client-side errors and server failures. The vulnerability has been addressed in version 1.4.2.

Affected Version(s)

free5gc < 1.4.2

References

https://github.com/free5gc/free5gc/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/free5gc/free5gc/issues/784
x_refsource_MISC
https://github.com/free5gc/udm/pull/79
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.