Description
pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3.
Published: 2026-05-08
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in pygeoapi’s OGC API process execution endpoint, where an unauthenticated subscriber object can be supplied. Because the server forwards the subscriber URL to an internal HTTP service without validation, an attacker can cause the server to perform arbitrary network requests, exposing internal resources or executing code on internal targets. This constitutes a Server Side Request Forgery (CWE‑918) that could compromise confidentiality and integrity of internal services.

Affected Systems

Affected customers are those running geopython's pygeoapi between versions 0.23.0 and 0.23.2, inclusive, which is before the patch release 0.23.3. The vulnerability applies to all installations of this product, regardless of deployment environment, as no authentication is required to trigger the flaw.

Risk and Exploitability

The CVSS score of 8.6 marks this as high severity, and EPSS data is not available, so the exploitation probability cannot be quantified in the current dataset. The flaw is not listed in the CISA KEV catalog. Because the attack requires only normal HTTP requests to the OGC API endpoint and no special privileges, the likely attack vector is remote interaction over the network. An adversary can send crafted requests from anywhere with network reach to the exposed API, causing the server to reach internal hosts or services that would otherwise be restricted.

Generated by OpenCVE AI on May 8, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to pygeoapi 0.23.3 or later to remove the flaw.
  • If upgrade is delayed, restrict network access to the OGC API endpoint so that only trusted IP ranges can reach it, thereby limiting potential internal requests.
  • Monitor API traffic for unusual internal service requests and review logs for SSRF patterns.

Generated by OpenCVE AI on May 8, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jgvc-94c8-3chc pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber
History

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3.
Title pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T22:31:50.110Z

Reserved: 2026-04-26T13:26:14.515Z

Link: CVE-2026-42352

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T23:16:38.317

Modified: 2026-05-08T23:16:38.317

Link: CVE-2026-42352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:00:25Z

Weaknesses