GHSA-jgvc-94c8-3chc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jgvc-94c8-3chc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-jgvc-94c8-3chc/GHSA-jgvc-94c8-3chc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jgvc-94c8-3chc
- Aliases
-
- CVE-2026-42352
- Published
- 2026-04-29T22:19:53Z
- Modified
- 2026-05-13T13:52:35.658617Z
- Severity
-
- 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
- Summary
- pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber
- Details
-
Impact
OGC API - Process execution requests can use the
subscriberobject to requests to internal HTTP services.Patches
The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default (unless explicitly defined in configuration by a new
allow_internal_requestsdirective.The commit/fix can be found in 3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef.
Workarounds
Users can update existing applications by disabling process based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.
- Database specific
{ "github_reviewed_at": "2026-04-29T22:19:53Z", "github_reviewed": true, "cwe_ids": [ "CWE-918" ], "nvd_published_at": "2026-05-08T23:16:38Z", "severity": "HIGH" }- References
-
- https://github.com/geopython/pygeoapi/security/advisories/GHSA-jgvc-94c8-3chc
- https://nvd.nist.gov/vuln/detail/CVE-2026-42352
- https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef
- https://github.com/geopython/pygeoapi
- https://github.com/geopython/pygeoapi/releases/tag/0.23.3
Affected packages
PyPI / pygeoapi
Package
- Name
- pygeoapi
- View open source insights on deps.dev
- Purl
- pkg:pypi/pygeoapi