CVE-2026-39922 MEDIUM

CVE-2026-39922: GeoNode SSRF via Service Registration

Vendor Geonode
Product GeoNode
Weakness CWE-918 · SSRF
Published April 10, 2026
Last update May 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L

What the vulnerability does

01Description

GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.

Key dates

02Disclosure timeline

April 10, 2026 CVE published
May 8, 2026 Record updated