SSRF in Geonode

CVE-2026-39922

GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (13.7th percentile) — read the EPSS interpretation.

Affected products

Geonode — versions 4.0, 4.0.0, 5.0

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

github.com/GeoNode/geonode/security/advisories/GHSA-hw9r-6m78-w6h3 (vendor-advisory)
www.vulncheck.com/advisories/geonode-ssrf-via-service-registration (third-party-advisory)