CVE-2026-33192

Description

**Impact** This is an Improper Error Handling vulnerability with Information Exposure implications, combined with an HTTP Method Translation issue. - **Security Impact**: The UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling PATCH requests with an empty `supi` path parameter. Additionally, the UDM incorrectly translates the PATCH method to PUT when forwarding to UDR, indicating a deeper architectural issue. This leaks internal error handling behavior and makes it difficult for clients to distinguish between client-side errors and server-side failures. - **Functional Impact**: When a client sends a PATCH request with an empty `supi` (e.g., double slashes `//` in URL path), the UDM forwards a PUT request to UDR with the malformed path, which correctly returns 400. However, UDM propagates this as 500 SYSTEM_FAILURE instead of returning the appropriate 400 error to the client. This violates REST API best practices for PATCH operations and may indicate improper HTTP method handling. - **Affected Parties**: All deployments of free5GC v4.0.1 using the UDM Nudm_SDM service with PATCH operations on sdm-subscriptions endpoint. **Patches** Yes, the issue has been patched. The fix is implemented in PR free5gc/udm#79. Users should upgrade to the next release of free5GC that includes this commit. **Workarounds** There is no direct workaround at the application level. The recommendation is to apply the provided patch or implement API gateway-level validation to reject PATCH requests with empty path parameters before they reach UDM.

Priority Score