GeoNetwork CVE-2026-46487
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network request to the search API (AV:N/AC:L/PR:N/UI:N) discloses full restricted records (C:H) with no write or availability effect (I:N/A:N).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
GeoNetwork's Elasticsearch-backed search API is responsible for injecting access-control and visibility filters into every request before it reaches the underlying Elasticsearch index. Under certain request conditions, that filtering step does not run, allowing an unauthenticated user to retrieve indexed metadata records that should be restricted, including records limited to specific groups.
Details
The search proxy layer forwards client-supplied search requests to Elasticsearch after adding GeoNetwork's own access-control and filter clauses. A flaw in how that filter-injection step is triggered means it can be skipped under certain conditions, so the affected request reaches Elasticsearch without the intended access restrictions applied.
Impact
This is an authorization bypass leading to information disclosure (CWE-862: Missing Authorization). The skipped filter step is responsible for enforcing several layers of access control at once: group-based record visibility, draft record exclusion, record ownership checks, and portal-specific filtering.
Any public-facing GeoNetwork 4.x instance (4.0.0-alpha.1 through 4.4.10) is affected. An unauthenticated attacker can retrieve the full contents of metadata records that should not be publicly visible.
AnalysisAI
Authorization bypass and information disclosure in GeoNetwork 4.x (4.0.0-alpha.1 through 4.4.10) lets an unauthenticated remote user retrieve restricted metadata records through the Elasticsearch-backed search API. Under certain request conditions the proxy layer skips the step that injects GeoNetwork's access-control filters, so requests reach the index without group-visibility, ownership, draft-exclusion, or portal filtering applied. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation targets GeoNetwork's Elasticsearch search proxy on a public-facing 4.x deployment (4.0.0-alpha.1-4.4.10) and requires no authentication (PR:N), no user interaction (UI:N), and no special privileges. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) is internally consistent: network-reachable, low complexity, no privileges or user interaction, high confidentiality impact with no integrity or availability effect - a pure read-only disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker locates an internet-facing GeoNetwork 4.x catalog and sends crafted search requests to its Elasticsearch-backed search API that meet the condition causing the access-control filter step to be skipped. Because no authentication is required, the attacker receives the full contents of restricted, draft, or group-limited metadata records that should have been hidden, and can script the requests to harvest the entire non-public catalog. … |
| Remediation | Upgrade to a fixed GeoNetwork release above 4.4.10 as published in advisory GHSA-582q-v28r-7cxr (https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-582q-v28r-7cxr); the advisory data does not include an explicit fix version string in this input, so confirm the exact patched build directly from that advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
WITHIN 24 HOURS: Conduct an inventory of all GeoNetwork instances running versions 4.0.0-alpha.1 through 4.4.10 and document network accessibility. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s
opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat
A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-582q-v28r-7cxr