CVE-2026-39922

GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/GeoNode/geonode/security/advisories/GHSA-hw9r-6m78-w6h3
https://www.vulncheck.com/advisories/geonode-ssrf-via-service-registration	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:geosolutionsgroup:geonode::::::::
	cpe:2.3:a:geosolutionsgroup:geonode::::::::

History

16 Apr 2026, 01:16

Type	Values Removed	Values Added
References	~~{'url': 'https://github.com/GeoNode/geonode/releases/tag/4.4.5', 'tags': ['Product', 'Release Notes'], 'source': 'disclosure@vulncheck.com'}~~ ~~{'url': 'https://github.com/GeoNode/geonode/releases/tag/5.0.2', 'tags': ['Product', 'Release Notes'], 'source': 'disclosure@vulncheck.com'}~~	() https://github.com/GeoNode/geonode/security/advisories/GHSA-hw9r-6m78-w6h3 -
Summary	(en) GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.	(en) GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.

15 Apr 2026, 15:59

Type	Values Removed	Values Added
References	~~() https://github.com/GeoNode/geonode/releases/tag/4.4.5 -~~	() https://github.com/GeoNode/geonode/releases/tag/4.4.5 - Product, Release Notes
References	~~() https://github.com/GeoNode/geonode/releases/tag/5.0.2 -~~	() https://github.com/GeoNode/geonode/releases/tag/5.0.2 - Product, Release Notes
References	~~() https://www.vulncheck.com/advisories/geonode-ssrf-via-service-registration -~~	() https://www.vulncheck.com/advisories/geonode-ssrf-via-service-registration - Third Party Advisory
First Time		Geosolutionsgroup geonode Geosolutionsgroup
CPE		cpe:2.3:a:geosolutionsgroup:geonode::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.3

10 Apr 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-10 20:16

Updated : 2026-04-16 01:16

NVD link : CVE-2026-39922

Mitre link : CVE-2026-39922

CVE.ORG link : CVE-2026-39922

JSON object : View

Products Affected

geosolutionsgroup

geonode

CWE

CWE-918

Server-Side Request Forgery (SSRF)

6.3 /10