Server-Side Request Forgery Vulnerability in GeoNode by GeoSolutions
CVE-2026-39922

5.3MEDIUM

Key Information:

Vendor: Geonode
Status: Geonode
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-39922?

GeoNode versions prior to 4.4.5 and 5.0.2 exhibit a server-side request forgery vulnerability that allows authenticated attackers to manipulate internal network requests. By submitting a maliciously crafted service URL during the service registration process, attackers can trigger outbound requests to arbitrary URLs. This vulnerability arises due to inadequate URL validation in the Web Map Service (WMS) handler, which lacks proper filtering or enforcement mechanisms for private IP addresses. This opens up potential avenues for attackers to probe sensitive internal resources, including cloud metadata services.

Affected Version(s)

GeoNode 4.0 < 4.4.5

GeoNode 5.0 < 5.0.2

References

https://github.com/GeoNode/geonode/releases/tag/5.0.2

release-notespatch

https://github.com/GeoNode/geonode/releases/tag/4.4.5

release-notespatch

https://www.vulncheck.com/advisories/geonode-ssrf-via-ser...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Elure (Marasescu Mihnea-Luca)

CVE-2026-39922 Data

JSON

Geonode

What is CVE-2026-39922?

Affected Version(s)

References

CVSS V4

Timeline

Credit