SSRF in Geonode
CVE-2026-39921
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a maliciou…
Vulnerability class: SSRF (Server-Side Request Forgery)
EPSS: 0.000 (13.4th percentile) — read the EPSS interpretation.
Affected products
- Geonode — versions 4.0, 4.0.0, 5.0
Weakness classification (CWE)
References
- github.com/GeoNode/geonode/releases/tag/5.0.2 (release-notes, patch)
- github.com/GeoNode/geonode/releases/tag/4.4.5 (release-notes, patch)
- github.com/GeoNode/geonode/pull/14058 (issue-tracking)
- github.com/GeoNode/geonode/commit/9856cb5ab27e33c0adba9274f4cccf6d1f534bd1 (patch)
- github.com/GeoNode/geonode/commit/4a852cfc1da732b10779b5bf5f087c8f02985571 (patch)
- www.vulncheck.com/advisories/geonode-ssrf-via-document-upload (third-party-advisory)