pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber — CVE-2026-42352
GitHub · GitHub · CVE-2026-42352
ID
CVE-2026-42352
CVE-2026-42352
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.6
8.6
EPSS
0.00045
0.00045
Summary
### Impact OGC API - Process execution requests can use the `subscriber` object to requests to internal HTTP services. ### Patches The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default (unless explicitly defined in configuration by a new `allow_internal_requests` directive. The commit/fix can be found…
Product
pip: pygeoapi
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.