CVE-2026-39921
Received Received - Intake
SSRF Vulnerability in GeoNode Document Upload Allows Internal Requests

Publication date: 2026-04-10

Last updated on: 2026-04-16

Assigner: VulnCheck

Description
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. Attackers can supply URLs pointing to internal network targets, loopback addresses, RFC1918 addresses, or cloud metadata services to cause the server to make requests to internal resources without SSRF mitigations such as private IP filtering or redirect validation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39921
EUVD
EUVD-2026-21579
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
geosolutionsgroup geonode From 4.0.0 (inc) to 4.4.5 (exc)
geosolutionsgroup geonode From 5.0.0 (inc) to 5.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests to internal network resources, potentially leading to unauthorized access or information disclosure from internal systems.

Such unauthorized access or information disclosure could impact compliance with common standards and regulations like GDPR or HIPAA, which require protection of sensitive data and internal systems from unauthorized access.

However, the provided information does not explicitly mention the direct impact on compliance with these standards or any regulatory consequences.

Executive Summary

CVE-2026-39921 is a Server-Side Request Forgery (SSRF) vulnerability found in GeoNode versions before 4.4.5 and 5.0 before 5.0.2. It allows authenticated users who have document upload permissions to exploit the system by submitting a malicious URL through the doc_url parameter during document upload.

When exploited, this vulnerability causes the server to make arbitrary outbound HTTP requests to URLs specified by the attacker. These URLs can point to internal network targets, loopback addresses, private IP ranges defined by RFC1918, or cloud metadata services.

The vulnerability exists because the server lacks SSRF mitigations such as filtering private IP addresses or validating redirects, allowing attackers to potentially access internal resources that should be protected.

Impact Analysis

This vulnerability can impact you by allowing attackers with document upload permissions to make the server send unauthorized HTTP requests to internal network resources.

Such unauthorized requests can lead to information disclosure or unauthorized access to internal systems that are normally protected from external access.

Attackers could exploit this to access sensitive internal services, cloud metadata, or other protected resources, potentially compromising the confidentiality and integrity of your internal network.

Detection Guidance

This vulnerability involves an SSRF triggered by authenticated users with document upload permissions submitting a malicious URL via the doc_url parameter. Detection would involve monitoring for unusual outbound HTTP requests initiated by the GeoNode server, especially requests to internal IP ranges such as loopback addresses, RFC1918 private IPs, or cloud metadata service endpoints.

Specific commands or detection tools are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade GeoNode to version 4.4.5 or later if using the 4.x series, or to version 5.0.2 or later if using the 5.x series, as these versions contain fixes addressing this SSRF vulnerability.

Additionally, restricting document upload permissions to trusted users and monitoring outbound HTTP requests from the server can help reduce risk until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39921. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart