CVE-2026-39922

Name of the Vulnerable Software and Affected Versions GeoNode versions 4.0 through 4.4.5 and 5.0 through 5.0.2

Description GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 are affected by a server-side request forgery issue in the service registration endpoint. Authenticated attackers can trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Insufficient URL validation in the WMS service handler, without private IP filtering or allowlist enforcement, allows attackers to probe internal network targets, including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services.

Recommendations Update GeoNode to version 4.4.5 or later. Update GeoNode to version 5.0.2 or later.