CVE-2026-42352 PUBLISHED

pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber

Assigner: GitHub_M
Reserved: 26.04.2026 Published: 08.05.2026 Updated: 08.05.2026

pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS Score: 8.6

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	geopython
Product	pygeoapi
Versions	Version >= 0.23.0, < 0.23.3 is affected

References

https://github.com/geopython/pygeoapi/security/advisories/GHSA-jgvc-94c8-3chc
https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef
https://github.com/geopython/pygeoapi/releases/tag/0.23.3

Problem Types

CWE-918: Server-Side Request Forgery (SSRF) CWE