CVE-2026-42352
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
OGC API - Process execution requests can use the subscriber object to requests to internal HTTP services.
Patches
The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default (unless explicitly defined in configuration by a new allow_internal_requests directive.
The commit/fix can be found in 3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef.
Workarounds
Users can update existing applications by disabling process based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.
Analysis
Impact
OGC API - Process execution requests can use the subscriber object to requests to internal HTTP services.
Patches
The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default (unless explicitly defined in configuration by a new allow_internal_requests directive.
The commit/fix can be found in 3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef.
Workarounds
Users can update existing applications by disabling process based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-jgvc-94c8-3chc