GHSA-582q-v28r-7cxr

Suggest an improvement
Source
https://github.com/advisories/GHSA-582q-v28r-7cxr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-582q-v28r-7cxr/GHSA-582q-v28r-7cxr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-582q-v28r-7cxr
Aliases
  • CVE-2026-46487
Published
2026-07-01T17:57:13Z
Modified
2026-07-01T18:00:21.624780599Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
GeoNetwork has ACL bypass on Elasticsearch search when request body omits query field
Details

Summary

GeoNetwork's Elasticsearch-backed search API is responsible for injecting access-control and visibility filters into every request before it reaches the underlying Elasticsearch index. Under certain request conditions, that filtering step does not run, allowing an unauthenticated user to retrieve indexed metadata records that should be restricted, including records limited to specific groups.

Details

The search proxy layer forwards client-supplied search requests to Elasticsearch after adding GeoNetwork's own access-control and filter clauses. A flaw in how that filter-injection step is triggered means it can be skipped under certain conditions, so the affected request reaches Elasticsearch without the intended access restrictions applied.

Impact

This is an authorization bypass leading to information disclosure (CWE-862: Missing Authorization). The skipped filter step is responsible for enforcing several layers of access control at once: group-based record visibility, draft record exclusion, record ownership checks, and portal-specific filtering.

Any public-facing GeoNetwork 4.x instance (4.0.0-alpha.1 through 4.4.10) is affected. An unauthenticated attacker can retrieve the full contents of metadata records that should not be publicly visible.

Database specific
{
    "github_reviewed_at": "2026-07-01T17:57:13Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-862"
    ],
    "severity": "HIGH"
}
References

Affected packages

Maven
org.geonetwork-opensource:geonetwork

Package

Name
org.geonetwork-opensource:geonetwork
View open source insights on deps.dev
Purl
pkg:maven/org.geonetwork-opensource/geonetwork

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0-alpha.1
Last affected
4.0.6-0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-582q-v28r-7cxr/GHSA-582q-v28r-7cxr.json"
org.geonetwork-opensource:geonetwork

Package

Name
org.geonetwork-opensource:geonetwork
View open source insights on deps.dev
Purl
pkg:maven/org.geonetwork-opensource/geonetwork

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0
Fixed
4.2.16

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-582q-v28r-7cxr/GHSA-582q-v28r-7cxr.json"
last_known_affected_version_range
"<= 4.2.15"
org.geonetwork-opensource:geonetwork

Package

Name
org.geonetwork-opensource:geonetwork
View open source insights on deps.dev
Purl
pkg:maven/org.geonetwork-opensource/geonetwork

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.4.0
Fixed
4.4.11

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-582q-v28r-7cxr/GHSA-582q-v28r-7cxr.json"
last_known_affected_version_range
"<= 4.4.10-0"