CVE-2026-39921
SSRF Vulnerability in GeoNode Document Upload Allows Internal Requests
Publication date: 2026-04-10
Last updated on: 2026-04-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| geosolutionsgroup | geonode | From 4.0.0 (inc) to 4.4.5 (exc) |
| geosolutionsgroup | geonode | From 5.0.0 (inc) to 5.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests to internal network resources, potentially leading to unauthorized access or information disclosure from internal systems.
Such unauthorized access or information disclosure could impact compliance with common standards and regulations like GDPR or HIPAA, which require protection of sensitive data and internal systems from unauthorized access.
However, the provided information does not explicitly mention the direct impact on compliance with these standards or any regulatory consequences.
Can you explain this vulnerability to me?
CVE-2026-39921 is a Server-Side Request Forgery (SSRF) vulnerability found in GeoNode versions before 4.4.5 and 5.0 before 5.0.2. It allows authenticated users who have document upload permissions to exploit the system by submitting a malicious URL through the doc_url parameter during document upload.
When exploited, this vulnerability causes the server to make arbitrary outbound HTTP requests to URLs specified by the attacker. These URLs can point to internal network targets, loopback addresses, private IP ranges defined by RFC1918, or cloud metadata services.
The vulnerability exists because the server lacks SSRF mitigations such as filtering private IP addresses or validating redirects, allowing attackers to potentially access internal resources that should be protected.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers with document upload permissions to make the server send unauthorized HTTP requests to internal network resources.
Such unauthorized requests can lead to information disclosure or unauthorized access to internal systems that are normally protected from external access.
Attackers could exploit this to access sensitive internal services, cloud metadata, or other protected resources, potentially compromising the confidentiality and integrity of your internal network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an SSRF triggered by authenticated users with document upload permissions submitting a malicious URL via the doc_url parameter. Detection would involve monitoring for unusual outbound HTTP requests initiated by the GeoNode server, especially requests to internal IP ranges such as loopback addresses, RFC1918 private IPs, or cloud metadata service endpoints.
Specific commands or detection tools are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade GeoNode to version 4.4.5 or later if using the 4.x series, or to version 5.0.2 or later if using the 5.x series, as these versions contain fixes addressing this SSRF vulnerability.
Additionally, restricting document upload permissions to trusted users and monitoring outbound HTTP requests from the server can help reduce risk until the upgrade is applied.