CVE-2026-42459: Free5GC UDM has Improper Input Validation and Generation of Error Messages Containing Sensitive Information

May 7, 2026 (updated June 8, 2026)

The free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An unauthenticated attacker can inject control characters into the SUPI parameter, causing UDM to forward a malformed request to UDR and return a 500 Internal Server Error response that exposes internal infrastructure details.

References

github.com/advisories/GHSA-585v-hcgf-jhfr
github.com/free5gc/free5gc/security/advisories/GHSA-585v-hcgf-jhfr
github.com/free5gc/free5gc/security/advisories/GHSA-h4wg-rp7m-8xx4
github.com/free5gc/udm/blob/v1.4.3/internal/sbi/api_subscriberdatamanagement.go
nvd.nist.gov/vuln/detail/CVE-2026-42459

Code Behaviors & Features

Detect and mitigate CVE-2026-42459 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →