CVE-2026-42351
Received Received - Intake
Directory Traversal in pygeoapi STAC FileSystemProvider

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration. This issue has been patched in version 0.23.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42351
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
geopy pygeoapi From 0.23.0 (inc) to 0.23.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow an attacker to access directories and potentially sensitive files without authentication by exploiting the path traversal issue.

Since the vulnerability allows unauthorized directory exposure, it can lead to information disclosure, which may compromise confidentiality.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade pygeoapi to version 0.23.3 or later, where the issue has been patched.

Additionally, deploying pygeoapi behind a proxy or web front end that normalizes URLs containing '..' values can help prevent exploitation.

Executive Summary

This vulnerability exists in pygeoapi versions from 0.23.0 to before 0.23.3, specifically in the STAC FileSystemProvider plugin. It involves raw string path concatenation that can allow unauthorized requests to access directories within STAC collection-based collections.

The issue occurs when pygeoapi is deployed without a proxy or web front end that normalizes URLs containing '..' path traversal sequences, combined with a resource of type stac-collection defined in the configuration.

This vulnerability was fixed in version 0.23.3.

Compliance Impact

This vulnerability allows unauthorized exposure of directories containing STAC collections due to a path concatenation flaw in pygeoapi's STAC FileSystemProvider plugin. Such unauthorized data exposure could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information.

However, the provided information does not specify the nature of the data exposed or whether it includes personal or sensitive information covered by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42351. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart