CVE-2026-39921

Name: CVE-2026-39921
Creator: NVD / NIST
Published: 2026-04-10T20:16:22.083+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.3/10EPSS 0.22%

Last modified Jun 17, 2026

CVE-2026-39921 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. Attackers can supply URLs pointing to internal network targets, loopback addresses, RFC1918 addresses, or cloud metadata services to cause the server to make requests to internal resources without SSRF mitigations such as private IP filtering or redirect validation.. EPSS estimates a 0.22% chance of exploitation in the next 30 days.

Description

GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. Attackers can supply URLs pointing to internal network targets, loopback addresses, RFC1918 addresses, or cloud metadata services to cause the server to make requests to internal resources without SSRF mitigations such as private IP filtering or redirect validation.

Metrics

CVSS 3.1

6.3/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS 4.0

5.3/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.22%

12.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-918

Affected Software

Vendor	Product	Versions
Geosolutionsgroup	Geonode	>= 4.0.0, < 4.4.5
Geosolutionsgroup	Geonode	>= 5.0.0, < 5.0.2

References

https://github.com/GeoNode/geonode/commit/4a852cfc1da732b10779b5bf5f087c8f02985571
https://github.com/GeoNode/geonode/commit/9856cb5ab27e33c0adba9274f4cccf6d1f534bd1
https://github.com/GeoNode/geonode/pull/14058
https://github.com/GeoNode/geonode/releases/tag/4.4.5Product, Release Notes
https://github.com/GeoNode/geonode/releases/tag/5.0.2Product, Release Notes
https://www.vulncheck.com/advisories/geonode-ssrf-via-document-uploadThird Party Advisory

Timeline

Published: Apr 10, 2026
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2026-39921?

How severe is CVE-2026-39921?

CVE-2026-39921 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 0.22% probability of exploitation in the next 30 days.

How do I fix CVE-2026-39921?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-39921?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST