Server-Side Request Forgery in GeoNode Versions Prior to 4.4.5 and 5.0.2
CVE-2026-39921

5.3MEDIUM

Key Information:

Vendor: Geonode
Status: Geonode
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-39921?

GeoNode versions 4.0 prior to 4.4.5 and version 5.0 prior to 5.0.2 are susceptible to a server-side request forgery (SSRF) vulnerability. This issue arises when authenticated users with document upload permissions are able to provide a malicious URL via the doc_url parameter during document upload. By exploiting this vulnerability, attackers can trigger arbitrary outbound HTTP requests, targeting internal network resources, loopback addresses, and cloud metadata services. The lack of adequate SSRF protections, such as filtering private IP addresses or validating redirects, allows these requests to bypass standard security measures.

Affected Version(s)

GeoNode 4.0 < 4.4.5

GeoNode 5.0 < 5.0.2

References

https://github.com/GeoNode/geonode/releases/tag/5.0.2

release-notespatch

https://github.com/GeoNode/geonode/releases/tag/4.4.5

release-notespatch

https://www.vulncheck.com/advisories/geonode-ssrf-via-doc...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Elure (Marasescu Mihnea-Luca)

CVE-2026-39921 Data

JSON

Geonode

What is CVE-2026-39921?

Affected Version(s)

References

CVSS V4

Timeline

Credit