CVE-2026-42459

HIGH WAF: Medium

CVSS 7.5 Published: 2026-05-27

CWE-20

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An unauthenticated attacker can inject control characters into the SUPI parameter, causing UDM to forward a malformed request to UDR and return a 500 Internal Server Error response that exposes internal infrastructure details. This vulnerability is fixed in 4.2.2.

WAF Coverage Analysis

Improper Input Validation Medium WAF Coverage

OWASP: A03:2021 Injection

920xxx - Protocol Enforcement 941xxx - XSS / XXE 942xxx - SQL Injection

Affected Software

Vendor	Product	Version
free5gc	free5gc	up to 4.2.2

References

github.com (Exploit, Mitigation, Vendor Advisory)

Back to CVE Database