GHSA-JGVC-94C8-3CHC

Vulnerability from github – Published: 2026-04-29 22:19 – Updated: 2026-04-29 22:19
VLAI?
Summary
pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber
Details

Impact

OGC API - Process execution requests can use the subscriber object to requests to internal HTTP services.

Patches

The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default (unless explicitly defined in configuration by a new allow_internal_requests directive.

The commit/fix can be found in 3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef.

Workarounds

Users can update existing applications by disabling process based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.

Severity ?
8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pygeoapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.23.0"
            },
            {
              "fixed": "0.23.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T22:19:53Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nOGC API - Process execution requests can use the `subscriber` object to requests to internal HTTP services.\n\n### Patches\nThe issue has been patched in master branch and made available as part of the 0.23.3 release.  The patch disables any HTTP requests made to internal resources by default (unless explicitly defined in configuration by a new `allow_internal_requests` directive.\n\nThe commit/fix can be found in [3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef](https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef).\n\n### Workarounds\nUsers can update existing applications by disabling process based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.",
  "id": "GHSA-jgvc-94c8-3chc",
  "modified": "2026-04-29T22:19:54Z",
  "published": "2026-04-29T22:19:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geopython/pygeoapi/security/advisories/GHSA-jgvc-94c8-3chc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geopython/pygeoapi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber  "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.