Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling DELETE requests with an empty supi path parameter. This leaks internal error handling behavior and makes it difficult for clients to distinguish between client-side errors and server-side failures. When a client sends a DELETE request with an empty supi (e.g., double slashes // in URL path), the UDM forwards the malformed request to UDR, which correctly returns 400. However, UDM propagates this as 500 SYSTEM_FAILURE instead of returning the appropriate 400 error to the client. This violates REST API best practices for DELETE operations. The issue has been patched in version 1.4.2.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-209"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33065.json"
}{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.4.2"
}
],
"cpe": "cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*",
"source": [
"CPE_RANGE",
"REFERENCES"
]
}