CVE-2026-39922

UNKNOWN 0.0

GeoNode SSRF via Service Registration

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

11th

GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.

CWE	CWE-918
Vendor	geonode
Product	geonode
Published	Apr 10, 2026
Last Updated	Apr 16, 2026

Stay Ahead of the Next One

Get instant alerts for geonode geonode

Be the first to know when new unknown vulnerabilities affecting geonode geonode are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

GeoNode / GeoNode

4.0 ≤ 4.4.5 5.0 ≤ 5.0.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/GeoNode/geonode/security/advisories/GHSA-hw9r-6m78-w6h3 vulncheck.com: https://www.vulncheck.com/advisories/geonode-ssrf-via-service-registration

Credits

Elure (Marasescu Mihnea-Luca)