High severity7.5GHSA Advisory· Published May 8, 2026· Updated May 12, 2026

CVE-2026-42351

Description

pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration. This issue has been patched in version 0.23.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pygeoapiPyPI	>= 0.23.0, < 0.23.3	0.23.3

Affected products

Geopython/PygeoapiGHSA
Range: >= 0.23.0, < 0.23.3

Patches

bf25b8695edb

STAC: secure resource pathing

https://github.com/geopython/pygeoapiTom KralidisApr 20, 2026via ghsa

commit

2 files changed · +14 −3

pygeoapi/provider/filesystem.py+9 −2 modified

@@ -2,7 +2,7 @@
 #
 # Authors: Tom Kralidis <tomkralidis@gmail.com>
 #
-# Copyright (c) 2023 Tom Kralidis
+# Copyright (c) 2026 Tom Kralidis
 #
 # Permission is hereby granted, free of charge, to any person
 # obtaining a copy of this software and associated documentation
@@ -34,6 +34,7 @@
 import os
 
 from pygeoapi.provider.base import (BaseProvider, ProviderConnectionError,
+                                    ProviderInvalidQueryError,
                                     ProviderNotFoundError)
 from pygeoapi.util import file_modified_iso8601, get_path_basename, url_join
 
@@ -76,9 +77,15 @@ def get_data_path(self, baseurl, urlpath, dirpath):
         root_link = None
         child_links = []
 
-        data_path = os.path.join(self.data, dirpath)
+        if '..' in dirpath:
+            msg = f'Invalid path requested'
+            LOGGER.error(f'{msg}: {dirpath}')
+            raise ProviderInvalidQueryError(msg)
+
         data_path = self.data + dirpath
 
+        LOGGER.debug(f'Data path: {data_path}')
+
         if '/' not in dirpath:  # root
             root_link = baseurl
         else:

tests/provider/test_filesystem_provider.py+5 −1 modified

@@ -2,7 +2,7 @@
 #
 # Authors: Tom Kralidis <tomkralidis@gmail.com>
 #
-# Copyright (c) 2021 Tom Kralidis
+# Copyright (c) 2026 Tom Kralidis
 #
 # Permission is hereby granted, free of charge, to any person
 # obtaining a copy of this software and associated documentation
@@ -30,6 +30,7 @@
 import os
 import pytest
 
+from pygeoapi.provider.base import ProviderInvalidQueryError
 from pygeoapi.provider.filesystem import FileSystemProvider
 
 THISDIR = os.path.dirname(os.path.realpath(__file__))
@@ -73,3 +74,6 @@ def test_query(config):
         'osm_id': 'int'
     }
     assert r['assets']['default']['href'] == 'http://example.org/stac/poi_portugal.gpkg'  # noqa
+
+    with pytest.raises(ProviderInvalidQueryError):
+        _ = p.get_data_path(baseurl, urlpath, '../../poi_portugal')

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000