CVE-2026-39922

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L                                    

Vulnerability Description

GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.

Vulnerability Details

Published Date

April 10, 2026

Last Modified

April 16, 2026

CWE ID

CWE-918

Source

NVD

Vendor

GeoNode

Product

GeoNode

External References

https://github.com/GeoNode/geonode/releases/tag/4.4.5
https://github.com/GeoNode/geonode/releases/tag/5.0.2
https://www.vulncheck.com/advisories/geonode-ssrf-via-service-registration

CVE-2026-39922

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment