Medium severity6.3NVD Advisory· Published Apr 10, 2026· Updated Apr 16, 2026
CVE-2026-39921
CVE-2026-39921
Description
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. Attackers can supply URLs pointing to internal network targets, loopback addresses, RFC1918 addresses, or cloud metadata services to cause the server to make requests to internal resources without SSRF mitigations such as private IP filtering or redirect validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:geosolutionsgroup:geonode:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:geosolutionsgroup:geonode:*:*:*:*:*:*:*:*range: >=4.0.0,<4.4.5
- (no CPE)range: >=4.0, <4.4.5 || >=5.0, <5.0.2
Patches
Vulnerability mechanics
References
6- www.vulncheck.com/advisories/geonode-ssrf-via-document-uploadnvdThird Party Advisory
- github.com/GeoNode/geonode/releases/tag/4.4.5nvdProductRelease Notes
- github.com/GeoNode/geonode/releases/tag/5.0.2nvdProductRelease Notes
- github.com/GeoNode/geonode/commit/4a852cfc1da732b10779b5bf5f087c8f02985571nvd
- github.com/GeoNode/geonode/commit/9856cb5ab27e33c0adba9274f4cccf6d1f534bd1nvd
- github.com/GeoNode/geonode/pull/14058nvd
News mentions
0No linked articles in our index yet.