CVE-2026-42459 Overview
CVE-2026-42459 affects free5GC, an open-source implementation of the 5G core network. The vulnerability resides in the Unified Data Management (UDM) component and impacts versions prior to 4.2.2. The UDM fails to validate the supi path parameter in six GET handlers within the nudm-sdm (Subscriber Data Management) service. An unauthenticated remote attacker can inject control characters into the Subscription Permanent Identifier (SUPI) parameter. This causes UDM to forward a malformed request to the Unified Data Repository (UDR), triggering a 500 Internal Server Error response that exposes internal infrastructure details. The flaw is classified under [CWE-20] Improper Input Validation.
Critical Impact
Unauthenticated attackers can leak internal 5G core infrastructure details by injecting control characters into SUPI path parameters of the nudm-sdm service.
Affected Products
- free5GC versions prior to 4.2.2
- free5GC UDM (Unified Data Management) component
- nudm-sdm (Subscriber Data Management) service GET handlers
Discovery Timeline
- 2026-05-27 - CVE CVE-2026-42459 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-42459
Vulnerability Analysis
The vulnerability stems from improper input validation in the free5GC UDM component. Six GET handlers in the nudm-sdm service accept the supi path parameter without validating its contents. Attackers can embed control characters into the SUPI value supplied via the URL path. The UDM then constructs and forwards a malformed downstream request to the UDR service. The UDR rejects the malformed request, and the resulting 500 Internal Server Error response propagates back through the UDM. This response leaks internal infrastructure details about the 5G core network deployment to the unauthenticated caller.
Root Cause
The root cause is the absence of strict input validation on the supi path parameter across six GET endpoints in the nudm-sdm service. The SUPI is a structured 5G identifier and must conform to a defined character set. The UDM accepts arbitrary control characters in this field and forwards them to UDR without sanitization or rejection. This violates input validation requirements outlined in [CWE-20].
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP GET request to one of the affected nudm-sdm endpoints. The crafted request includes control characters embedded in the SUPI path segment. The UDM relays the malformed payload to UDR, which returns an error response. The verbose 500 Internal Server Error returned to the attacker contains internal infrastructure metadata useful for reconnaissance and follow-on attacks against the 5G core. Technical details are available in the GitHub Security Advisory.
Detection Methods for CVE-2026-42459
Indicators of Compromise
- HTTP GET requests to nudm-sdm service endpoints containing non-printable or control characters within the supi path segment.
- Elevated rates of 500 Internal Server Error responses originating from UDM after requests targeting Subscriber Data Management routes.
- UDR error logs showing malformed SUPI values forwarded from UDM.
Detection Strategies
- Inspect HTTP access logs on UDM service endpoints for SUPI parameters containing characters outside the expected numeric and imsi-/nai- formats.
- Correlate UDM-to-UDR request traces with 500 response codes to identify probing patterns from unauthenticated sources.
- Apply signature rules on service mesh or API gateway proxies fronting the 5G core to flag control character injection attempts.
Monitoring Recommendations
- Enable verbose logging on UDM and UDR network functions and forward logs to a centralized analytics platform for anomaly detection.
- Track baseline rates of nudm-sdm GET requests and alert on spikes of malformed or rejected SUPI values.
- Monitor for repeated requests from the same source attempting variations of control character payloads against /nudm-sdm/ paths.
How to Mitigate CVE-2026-42459
Immediate Actions Required
- Upgrade free5GC to version 4.2.2 or later, which contains the official fix for CVE-2026-42459.
- Restrict network exposure of the UDM service so only authorized 5G core network functions can reach nudm-sdm endpoints.
- Audit existing logs for prior exploitation attempts containing control characters in SUPI parameters.
Patch Information
The vulnerability is fixed in free5GC version 4.2.2. Operators should review the GitHub Security Advisory GHSA-585v-hcgf-jhfr for upgrade instructions and verify deployment of the patched UDM binaries across all 5G core instances.
Workarounds
- Deploy an API gateway or reverse proxy in front of UDM to validate that supi path parameters match the expected SUPI format and reject control characters.
- Enforce strict network segmentation so the UDM service binding is reachable only from trusted Service Based Architecture (SBA) peers.
- Suppress detailed 500 error responses at the proxy layer to limit information disclosure until the patch is applied.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
