CVE-2026-39922
Received Received - Intake
Server-Side Request Forgery in GeoNode Service Registration Endpoint

Publication date: 2026-04-10

Last updated on: 2026-04-16

Assigner: VulnCheck

Description
GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39922
EUVD
EUVD-2026-21581
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
geosolutionsgroup geonode From 4.0.0 (inc) to 4.4.5 (exc)
geosolutionsgroup geonode From 5.0.0 (inc) to 5.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39922 is a Server-Side Request Forgery (SSRF) vulnerability found in GeoNode versions before 4.4.5 and 5.0 before 5.0.2. It exists in the service registration endpoint, where authenticated users can submit a specially crafted service URL during form validation.

This crafted URL causes the server to make outbound network requests to arbitrary URLs without proper validation. The vulnerability arises because the Web Map Service (WMS) handler does not properly filter private IP addresses or enforce an allowlist.

As a result, attackers can probe internal network resources such as loopback addresses, private IP ranges defined by RFC1918, link-local addresses, and cloud metadata services.

Impact Analysis

This vulnerability can allow an authenticated attacker to make the GeoNode server send requests to internal or protected network resources that are normally inaccessible from outside.

By exploiting this, attackers can gather sensitive information about the internal network, potentially access cloud metadata services, and perform reconnaissance that could lead to further attacks.

The impact includes unauthorized access to internal systems, exposure of sensitive data, and increased risk of lateral movement within the network.

Detection Guidance

This vulnerability involves an authenticated attacker submitting a crafted service URL to the GeoNode service registration endpoint, triggering outbound requests to arbitrary URLs. Detection would involve monitoring for unusual outbound HTTP requests originating from the GeoNode server, especially to internal IP ranges such as loopback addresses, RFC1918 private IP ranges, link-local addresses, or cloud metadata service URLs.

Commands to detect potential exploitation attempts could include network monitoring tools or logs inspection on the GeoNode server to identify outbound requests to suspicious internal or metadata service IPs.

  • Use tcpdump or similar to capture outbound traffic from the GeoNode server, filtering for internal IP ranges, e.g.: tcpdump -i eth0 dst net 127.0.0.0/8 or dst net 10.0.0.0/8 or dst net 169.254.0.0/16
  • Check GeoNode application logs for requests to the service registration endpoint containing unusual or suspicious service URLs.
  • Use curl or wget commands to test the service registration endpoint with crafted URLs to verify if the server triggers outbound requests.
Mitigation Strategies

The primary mitigation is to upgrade GeoNode to a fixed version: 4.4.5 or later for the 4.x branch, or 5.0.2 or later for the 5.x branch.

Until an upgrade can be performed, restrict access to the service registration endpoint to trusted authenticated users only, and monitor for suspicious activity.

Implement network-level controls to block outbound requests from the GeoNode server to internal IP ranges and cloud metadata service IPs to reduce the risk of exploitation.

Compliance Impact

The provided information does not specify how the CVE-2026-39922 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39922. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart