HIGHCVE-2026-42352Published 2026-05-08Modified 2026-05-11CNA GitHub_M

CVE-2026-42352: pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber

pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3.

CVSS v3.1: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

geopython / pygeoapi
>= 0.23.0, < 0.23.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References

https://github.com/geopython/pygeoapi/security/advisories/GHSA-jgvc-94c8-3chc
https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef
https://github.com/geopython/pygeoapi/releases/tag/0.23.3

Metrics