CVE-2026-33065

Name of the Vulnerable Software and Affected Versions Free5GC versions prior to 1.4.2

Description The UDM component in Free5GC incorrectly handles DELETE requests with an empty supi path parameter. Specifically, when a client sends a DELETE request with an empty supi (e.g., double slashes // in the URL path) to the /sdm-subscriptions endpoint, the UDM forwards the malformed request to the UDR. The UDR correctly returns a 400 Bad Request error, but the UDM incorrectly propagates this as a 500 Internal Server Error (SYSTEM FAILURE) to the client. This behavior leaks internal error handling details and hinders clients from differentiating between client-side and server-side errors, violating REST API best practices for DELETE operations. The affected component is the UDM Nudm SDM service.

Recommendations Upgrade to Free5GC version 1.4.2 or later to resolve this issue. As a temporary workaround, implement API gateway-level validation to reject DELETE requests with empty path parameters before they reach the UDM.