CVE-2026-39922

MEDIUM

GeoNode < 4.4.5, 5.0.2 SSRF via Service Registration

Title source: cna

Description

GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.

References (4)

[Patch] https://github.com/GeoNode/geonode/releases/tag/5.0.2

[Patch] https://github.com/GeoNode/geonode/releases/tag/4.4.5

[Third Party Advisory] https://www.vulncheck.com/advisories/geonode-ssrf-via-service-registration

[Vendor Advisory] https://github.com/GeoNode/geonode/security/advisories/GHSA-hw9r-6m78-w6h3

Scores

CVSS v3 6.3

EPSS 0.0004

EPSS Percentile 11.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (3)

GeoNode/GeoNode 4.0 - 4.4.5

GeoNode/GeoNode 5.0 - 5.0.2

geosolutionsgroup/geonode 4.0.0 - 4.4.5

Published Apr 10, 2026

Tracked Since Apr 11, 2026