CVE-2026-39921

Name of the Vulnerable Software and Affected Versions GeoNode versions 4.0 through 4.4.5 and 5.0 through 5.0.2

Description GeoNode versions 4.0 through 4.4.5 and 5.0 through 5.0.2 contain a server-side request forgery issue. Authenticated users with document upload permissions can trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc url parameter during document upload. Attackers can supply URLs pointing to internal network targets, loopback addresses, RFC1918 addresses, or cloud metadata services, causing the server to make requests to internal resources without SSRF mitigations such as private IP filtering or redirect validation.

Recommendations Update to GeoNode version 4.4.5 or later. Update to GeoNode version 5.0.2 or later.