{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39922", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-07T20:57:06.210Z", "datePublished": "2026-04-10T19:53:05.159Z", "dateUpdated": "2026-05-08T14:08:09.304Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-08T14:08:09.304Z"}, "title": "GeoNode SSRF via Service Registration", "descriptions": [{"lang": "en", "value": "GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement."}], "datePublic": "2026-04-10T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "affected": [{"vendor": "GeoNode", "product": "GeoNode", "repo": "https://github.com/GeoNode/geonode", "versions": [{"status": "affected", "version": "4.0.0", "lessThanOrEqual": "4.4.5", "versionType": "semver"}, {"status": "affected", "version": "5.0.0", "lessThanOrEqual": "5.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L"}}], "references": [{"url": "https://github.com/GeoNode/geonode/security/advisories/GHSA-hw9r-6m78-w6h3", "tags": ["vendor-advisory"]}, {"url": "https://www.vulncheck.com/advisories/geonode-ssrf-via-service-registration", "tags": ["third-party-advisory"]}], "credits": [{"lang": "en", "value": "Elure (Marasescu Mihnea-Luca)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T17:35:42.484560Z", "id": "CVE-2026-39922", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:36:23.783Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39922", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T17:35:42.484560Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:36:04.385Z"}}], "cna": {"title": "GeoNode SSRF via Service Registration", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Elure (Marasescu Mihnea-Luca)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/GeoNode/geonode", "vendor": "GeoNode", "product": "GeoNode", "versions": [{"status": "affected", "version": "4.0.0", "versionType": "semver", "lessThanOrEqual": "4.4.5"}, {"status": "affected", "version": "5.0.0", "versionType": "semver", "lessThanOrEqual": "5.0.2"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-10T00:00:00.000Z", "references": [{"url": "https://github.com/GeoNode/geonode/security/advisories/GHSA-hw9r-6m78-w6h3", "tags": ["vendor-advisory"]}, {"url": "https://www.vulncheck.com/advisories/geonode-ssrf-via-service-registration", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-08T14:08:09.304Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39922", "state": "PUBLISHED", "dateUpdated": "2026-05-08T14:08:09.304Z", "dateReserved": "2026-04-07T20:57:06.210Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-10T19:53:05.159Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:geosolutionsgroup:geonode:*:*:*:*:*:*:*:*", "matchCriteriaId": "63411221-3957-4534-967C-B76A963F1A8B", "versionEndExcluding": "4.4.5", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:geosolutionsgroup:geonode:*:*:*:*:*:*:*:*", "matchCriteriaId": "D170633C-B353-4CEA-A77E-3477016B5B98", "versionEndExcluding": "5.0.2", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement."}], "id": "CVE-2026-39922", "lastModified": "2026-04-16T01:16:10.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-10T20:16:22.270", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/GeoNode/geonode/security/advisories/GHSA-hw9r-6m78-w6h3"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/geonode-ssrf-via-service-registration"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0,4.4.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0,5.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "GeoNode", "source": "cna", "vendor": "GeoNode"}, "product": "geonode", "vendor": "geonode"}], "analysis": {"en": {"generated_at": "2026-04-17T08:58:45.847187+00:00", "value": {"mitigation_remediation": ["Upgrade GeoNode to version 4.4.5 or 5.0.2 or later to eliminate the SSRF flaw.", "If an immediate upgrade is not possible, disable the service registration form or restrict outbound network traffic from the GeoNode application to prevent requests to internal or private IP ranges.", "Monitor application logs for attempts to register services and review network traffic for unexpected outbound connections."], "summary": {"action": "Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Affected versions are GeoNode 4.0 through 4.4.4 and GeoNode 5.0 through 5.0.1. The product is GeoNode, an open\u2011source platform for geospatial content management. Patches that address this issue are available in GeoNode 4.4.5 and 5.0.2, as referenced in the official release notes.", "description_and_impact": "GeoNode versions 4.4.5 and 5.0.2, and earlier releases in the same series, contain a server\u2011side request forgery flaw in the service registration endpoint. Authenticated attackers can submit a crafted service URL that the server validates and subsequently fetches, causing outbound HTTP(S) requests to arbitrary destinations. This ability lets attackers probe internal network assets\u2014including loopback interfaces, RFC1918 private ranges, link\u2011local addresses, and cloud metadata services\u2014by exploiting insufficient URL validation in the WMS service handler lacking private\u2011IP filtering or allowlist enforcement. The vulnerability is classified as CWE\u2011918.", "risk_and_exploitability": "The CVSS\u202fv3.1 score is\u202f5.3, indicating medium severity. EPSS score is <1%, suggesting a low but non\u2011zero probability of exploitation, and the flaw is not currently listed in the CISA\u202fKEV catalog. Because only authenticated users can trigger the SSRF, the attack requires valid credentials and presumably a web session. Nonetheless, an attacker could use the discovered bypass to discover internal host addresses or access privileged metadata endpoints, which could serve as a foothold for further exploitation. Organizations should promptly assess whether their installations run a vulnerable version and prioritize applying the available patch."}}}}, "created": "2026-04-13T12:42:36.390102+00:00", "updated": "2026-04-17T09:00:10.992000+00:00", "vendors": ["geonode", "geonode$PRODUCT$geonode"]}