Suse
CVE-2026-33192
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact This is an Improper Error Handling vulnerability with Information Exposure implications, combined with an HTTP Method Translation issue.
- Security Impact: The UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling PATCH requests with an empty
supipath parameter. Additionally, the UDM incorrectly translates the PATCH method to PUT when forwarding to UDR, indicating a deeper architectural issue. This leaks internal error handling behavior and makes it difficult for clients to distinguish between client-side errors and server-side failures. - Functional Impact: When a client sends a PATCH request with an empty
supi(e.g., double slashes//in URL path), the UDM forwards a PUT request to UDR with the malformed path, which correctly returns 400. However, UDM propagates this as 500 SYSTEM_FAILURE instead of returning the appropriate 400 error to the client. This violates REST API best practices for PATCH operations and may indicate improper HTTP method handling. - Affected Parties: All deployments of free5GC v4.0.1 using the UDM Nudm_SDM service with PATCH operations on sdm-subscriptions endpoint.
Patches Yes, the issue has been patched. The fix is implemented in PR free5gc/udm#79. Users should upgrade to the next release of free5GC that includes this commit.
Workarounds There is no direct workaround at the application level. The recommendation is to apply the provided patch or implement API gateway-level validation to reject PATCH requests with empty path parameters before they reach UDM.
AnalysisAI
UDM incorrectly converts client-side errors to server-side errors and mistranslates PATCH requests to PUT when forwarding to UDR, exposing internal error handling behavior that prevents clients from distinguishing between legitimate client errors and actual server failures. An unauthenticated remote attacker can exploit this by sending PATCH requests with malformed parameters to leak information about the service's internal architecture and error handling mechanisms. A patch is available to address this HTTP method translation and improper error handling issue.
Technical ContextAI
This vulnerability affects the free5GC open-source 5G core network implementation, specifically the UDM (User Data Management) component written in Go (CPE: pkg:go/github.com_free5gc_udm). The issue is rooted in CWE-209 (Generation of Error Message Containing Sensitive Information) and involves two architectural problems: improper HTTP method translation (PATCH to PUT) when forwarding requests to the UDR (Unified Data Repository), and incorrect error code mapping that converts client errors (400) into server errors (500). The Nudm_SDM service interface handles subscriber data management operations in 5G networks following 3GPP specifications, where proper REST semantics and error handling are critical for service orchestration and troubleshooting.
RemediationAI
Upgrade to the next release of free5GC that includes the patch from pull request https://github.com/free5gc/udm/pull/79. Users currently on free5GC v4.0.1 should monitor the project's release page at https://github.com/free5gc/free5gc for the patched version. As an interim mitigation, implement API gateway-level validation to reject PATCH requests with empty or malformed path parameters (such as double slashes) before they reach the UDM component. Network segmentation and access control should ensure that only authorized 5G network components can communicate with UDM services. Review the full advisory at https://github.com/advisories/GHSA-5rvc-5cwx-g5x8 for additional context.
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-5rvc-5cwx-g5x8