Is there a patch available for CVE-2026-39921?

Yes, a patch is available for CVE-2026-39921. Update the affected software to the latest version immediately.

Geonode CVE-2026-39921

Q: What is the CVSS score of CVE-2026-39921?

CVE-2026-39921 has a CVSS 4.0 base score of 5.3 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-21579 MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2026-04-10 VulnCheck

GHSA-x87c-g7pw-2xr5

SSRF Geonode

5.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.3 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 10, 2026 - 20:15 euvd

EUVD-2026-21579

Analysis Generated

Apr 10, 2026 - 20:15 vuln.today

Patch released

Apr 10, 2026 - 20:15 nvd

Patch available

CVE Published

Apr 10, 2026 - 19:52 nvd

MEDIUM 5.3

DescriptionCVE.org

GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. Attackers can supply URLs pointing to internal network targets, loopback addresses, RFC1918 addresses, or cloud metadata services to cause the server to make requests to internal resources without SSRF mitigations such as private IP filtering or redirect validation.

AnalysisAI

Server-side request forgery in GeoNode 4.0-4.4.4 and 5.0-5.0.1 allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by supplying a malicious URL via the doc_url parameter, enabling attacks against internal network resources, loopback addresses, RFC1918 networks, and cloud metadata services without SSRF mitigations. CVSS 5.3 reflects low confidentiality and integrity impact but requires prior authentication; no public exploit code or active exploitation has been identified.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS 5.3 indicates moderate risk with low immediate impact, but contextual factors elevate real-world concern. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated user with document upload permissions crafts a malicious POST request to the document upload endpoint, setting the doc_url parameter to http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS metadata service). The GeoNode server, lacking SSRF validation, fetches the URL and exposes temporary AWS credentials in the response, which the attacker can intercept or log via error messages. …
Remediation	Upgrade GeoNode to version 4.4.5 or later for the 4.x series, or version 5.0.2 or later for the 5.x series. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-39921 vulnerability details – vuln.today

Back