CVE-2026-42351

Name of the Vulnerable Software and Affected Versions pygeoapi versions 0.23.0 through 0.23.2

Description A raw string path concatenation issue in the STAC FileSystemProvider plugin allows requests to STAC collection based collections to expose directories without authentication. This occurs when the server is deployed without a proxy or web front end to normalize URLs containing .. values and has a resource of type stac-collection defined in the configuration.

Recommendations Update to version 0.23.3. As a temporary workaround, disable STAC collection based resources in the configuration.