CVE-2026-39922: GeoNode contains a server-side request forgery vulnerability in the service registration endpoint
GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.
References
- github.com/GeoNode/geonode/releases/tag/4.4.5
- github.com/GeoNode/geonode/releases/tag/5.0.2
- github.com/advisories/GHSA-hw9r-6m78-w6h3
- github.com/pypa/advisory-database/tree/main/vulns/geonode/PYSEC-2026-61.yaml
- nvd.nist.gov/vuln/detail/CVE-2026-39922
- www.vulncheck.com/advisories/geonode-ssrf-via-service-registration
Code Behaviors & Features
Detect and mitigate CVE-2026-39922 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →