CVE-2026-39921
GeoNode < 4.4.5, 5.0.2 SSRF via Document Upload
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
8th
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. Attackers can supply URLs pointing to internal network targets, loopback addresses, RFC1918 addresses, or cloud metadata services to cause the server to make requests to internal resources without SSRF mitigations such as private IP filtering or redirect validation.
| CWE | CWE-918 |
| Vendor | geonode |
| Product | geonode |
| Published | Apr 10, 2026 |
| Last Updated | Apr 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for geonode geonode
Be the first to know when new unknown vulnerabilities affecting geonode geonode are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
GeoNode / GeoNode
4.0 < 4.4.5 5.0 < 5.0.2
References
github.com: https://github.com/GeoNode/geonode/releases/tag/5.0.2 github.com: https://github.com/GeoNode/geonode/releases/tag/4.4.5 github.com: https://github.com/GeoNode/geonode/pull/14058 github.com: https://github.com/GeoNode/geonode/commit/9856cb5ab27e33c0adba9274f4cccf6d1f534bd1 github.com: https://github.com/GeoNode/geonode/commit/4a852cfc1da732b10779b5bf5f087c8f02985571 vulncheck.com: https://www.vulncheck.com/advisories/geonode-ssrf-via-document-upload
Credits
Elure (Marasescu Mihnea-Luca)