CVE-2026-42351
Received Received - Intake

Directory Traversal in pygeoapi STAC FileSystemProvider

Vulnerability report for CVE-2026-42351, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description

pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration. This issue has been patched in version 0.23.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-07-09
AI Q&A
2026-05-09
EPSS Evaluated
2026-07-08
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
geopy pygeoapi From 0.23.0 (inc) to 0.23.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in pygeoapi versions from 0.23.0 to before 0.23.3, specifically in the STAC FileSystemProvider plugin. It involves raw string path concatenation that can allow unauthorized requests to access directories within STAC collection-based collections.

The issue occurs when pygeoapi is deployed without a proxy or web front end that normalizes URLs containing '..' path traversal sequences, combined with a resource of type stac-collection defined in the configuration.

This vulnerability was fixed in version 0.23.3.

Impact Analysis

This vulnerability can allow an attacker to access directories and potentially sensitive files without authentication by exploiting the path traversal issue.

Since the vulnerability allows unauthorized directory exposure, it can lead to information disclosure, which may compromise confidentiality.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade pygeoapi to version 0.23.3 or later, where the issue has been patched.

Additionally, deploying pygeoapi behind a proxy or web front end that normalizes URLs containing '..' values can help prevent exploitation.

Compliance Impact

This vulnerability allows unauthorized exposure of directories containing STAC collections due to a path concatenation flaw in pygeoapi's STAC FileSystemProvider plugin. Such unauthorized data exposure could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information.

However, the provided information does not specify the nature of the data exposed or whether it includes personal or sensitive information covered by these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42351. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart