Skip to main content

CVE-2026-42352

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-29 https://github.com/geopython/pygeoapi GHSA-jgvc-94c8-3chc
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch released
Apr 29, 2026 - 22:30 nvd
Patch available
CVE Published
Apr 29, 2026 - 22:19 nvd
HIGH 8.6

DescriptionGitHub Advisory

Impact

OGC API - Process execution requests can use the subscriber object to requests to internal HTTP services.

Patches

The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default (unless explicitly defined in configuration by a new allow_internal_requests directive.

The commit/fix can be found in 3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef.

Workarounds

Users can update existing applications by disabling process based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.

Analysis

Impact

OGC API - Process execution requests can use the subscriber object to requests to internal HTTP services.

Patches

The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default (unless explicitly defined in configuration by a new allow_internal_requests directive.

The commit/fix can be found in 3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef.

Workarounds

Users can update existing applications by disabling process based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.

Share

CVE-2026-42352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy