CVE-2026-39921 Overview
CVE-2026-39921 is a Server-Side Request Forgery (SSRF) vulnerability affecting GeoNode, an open-source geospatial content management system. The vulnerability exists in versions 4.0 before 4.4.5 and versions 5.0 before 5.0.2, allowing authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload operations.
Attackers can exploit this vulnerability by supplying URLs pointing to internal network targets, loopback addresses (127.0.0.1), RFC1918 private IP ranges, or cloud metadata services (such as 169.254.169.254). The server processes these requests without implementing proper SSRF mitigations such as private IP filtering or redirect validation, enabling access to internal resources that should not be externally reachable.
Critical Impact
Authenticated attackers can probe internal network infrastructure, access cloud metadata services to steal credentials, and potentially pivot to other internal systems by abusing the server as a proxy.
Affected Products
- GeoSolutionsGroup GeoNode versions 4.0 through 4.4.4
- GeoSolutionsGroup GeoNode versions 5.0 through 5.0.1
- Any deployment with document upload functionality exposed to authenticated users
Discovery Timeline
- 2026-04-10 - CVE-2026-39921 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-39921
Vulnerability Analysis
This SSRF vulnerability originates from insufficient validation of user-supplied URLs during the document upload process in GeoNode. When authenticated users upload documents by providing a remote URL via the doc_url parameter, the application processes the URL and makes server-side HTTP requests to fetch the resource, including generating thumbnails. The vulnerability specifically manifests in the thumbnail generation workflow for remote documents, where the server fetches content from user-controlled URLs without properly validating whether those URLs point to internal or sensitive resources.
The lack of SSRF mitigations means attackers can craft requests to internal services, potentially exposing sensitive configuration data, API keys, or cloud provider instance metadata. In cloud environments, this could lead to credential theft via metadata service access (e.g., AWS IMDSv1, Azure IMDS, or GCP metadata endpoints).
Root Cause
The root cause lies in the document upload handler's failure to implement proper URL validation before making server-side requests. Specifically, the resource_manager.set_thumbnail() function was called for all documents regardless of whether they originated from local storage or remote URLs. The absence of private IP filtering, DNS rebinding protections, and redirect validation allowed attackers to specify arbitrary internal network destinations.
The vulnerable code path processed remote document URLs without distinguishing between trusted external resources and potentially malicious internal targets, creating a classic SSRF attack surface.
Attack Vector
The attack requires authentication with document upload permissions. An attacker exploits the vulnerability by:
- Authenticating to the GeoNode application with a valid user account
- Initiating a document upload operation
- Providing a malicious URL in the doc_url parameter targeting internal resources
- The server makes an HTTP request to the attacker-specified URL during thumbnail generation
- Responses or timing information may reveal internal network topology or leak sensitive data
# Security patch in geonode/documents/views.py
# Source: https://github.com/GeoNode/geonode/commit/4a852cfc1da732b10779b5bf5f087c8f02985571
),
notify=True,
)
- resource_manager.set_thumbnail(self.object.uuid, instance=self.object, overwrite=False)
+
+ # Only trigger thumbnailing for local documents, not for remote URLs
+ if self.object.is_local:
+ resource_manager.set_thumbnail(self.object.uuid, instance=self.object, overwrite=False)
+ else:
+ logger.info(f"Skipping thumbnail generation for remote document: {self.object.doc_url}")
register_event(self.request, enumerations.EventType.EVENT_UPLOAD, self.object)
The patch addresses the vulnerability by disabling thumbnail generation for remote documents, preventing the server from making requests to user-controlled URLs.
Detection Methods for CVE-2026-39921
Indicators of Compromise
- Outbound HTTP requests from the GeoNode server to internal IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints (169.254.169.254) originating from the application server
- Document upload requests containing suspicious doc_url values pointing to localhost or internal hostnames
- Abnormal patterns of document uploads from single user accounts targeting varied internal endpoints
Detection Strategies
- Monitor web application logs for document upload requests containing doc_url parameters with internal IP addresses or cloud metadata URLs
- Implement network-level monitoring to detect outbound connections from web servers to internal network segments that should not be accessible
- Review authentication logs for accounts exhibiting reconnaissance-like behavior through repeated document uploads
- Deploy web application firewall (WAF) rules to detect and block SSRF payload patterns in upload requests
Monitoring Recommendations
- Configure alerting for outbound traffic from GeoNode servers to RFC1918 addresses or link-local ranges
- Enable detailed logging for all document upload operations including the full doc_url parameter value
- Implement egress filtering on application servers to restrict outbound connections to known-good destinations
- Monitor for failed connection attempts to internal services that may indicate SSRF probing activity
How to Mitigate CVE-2026-39921
Immediate Actions Required
- Upgrade GeoNode to version 4.4.5 or later for the 4.x branch, or version 5.0.2 or later for the 5.x branch
- Review recent document upload logs for signs of exploitation attempts targeting internal resources
- Audit user accounts with document upload permissions and verify their legitimacy
- Implement network segmentation to limit the blast radius if exploitation has occurred
Patch Information
GeoSolutionsGroup has released patched versions addressing this vulnerability. The fix disables thumbnail generation for remote documents, eliminating the SSRF attack vector. Users should upgrade to the following versions:
- GeoNode 4.x: Upgrade to version 4.4.5 or later - GitHub Release v4.4.5
- GeoNode 5.x: Upgrade to version 5.0.2 or later - GitHub Release v5.0.2
The security patches are available in commits 4a852cfc and 9856cb5a. Additional details are available in GitHub Pull Request #14058.
Workarounds
- Restrict document upload permissions to only trusted administrative users until patching is complete
- Implement network-level egress filtering to prevent the GeoNode server from connecting to internal IP ranges
- Deploy a reverse proxy or WAF with SSRF protection rules to filter malicious doc_url values before they reach the application
- Disable remote document upload functionality entirely if not required for business operations
# Example: Network egress filtering using iptables to block internal network access
# Apply on the GeoNode application server
# Block access to common internal ranges from the web application
iptables -A OUTPUT -d 10.0.0.0/8 -m owner --uid-owner www-data -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -m owner --uid-owner www-data -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -m owner --uid-owner www-data -j DROP
iptables -A OUTPUT -d 169.254.169.254 -m owner --uid-owner www-data -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 -m owner --uid-owner www-data -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
