CVE-2026-33192
Published: 20 March 2026
Summary
CVE-2026-33192 is a high-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Free5Gc Udm. Its CVSS base score is 8.7 (High).
Operationally, ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13634
Vulnerability details
Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling PATCH requests…
more
with an empty supi path parameter. Additionally, the UDM incorrectly translates the PATCH method to PUT when forwarding to UDR, indicating a deeper architectural issue. This leaks internal error handling behavior, making it difficult for clients to distinguish between client-side errors and server-side failures. The issue has been patched in version 1.4.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects error messages that leak sensitive information as evidence of disclosure.
The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses.
Misdirection allows generation of misleading error messages that withhold or falsify sensitive details.
Explicitly requires error messages to avoid including sensitive or exploitable details while still supporting corrective action.
Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors.
Fail-safe procedures can be defined to suppress or sanitize error output, reducing generation of messages that contain sensitive information.