{"id":"PYSEC-2026-2986","summary":"pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber  ","details":"### Impact\nOGC API - Process execution requests can use the `subscriber` object to requests to internal HTTP services.\n\n### Patches\nThe issue has been patched in master branch and made available as part of the 0.23.3 release.  The patch disables any HTTP requests made to internal resources by default (unless explicitly defined in configuration by a new `allow_internal_requests` directive.\n\nThe commit/fix can be found in [3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef](https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef).\n\n### Workarounds\nUsers can update existing applications by disabling process based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.","aliases":["CVE-2026-42352","GHSA-jgvc-94c8-3chc"],"modified":"2026-07-13T16:32:42.867767809Z","published":"2026-07-13T15:02:55.366744Z","references":[{"type":"WEB","url":"https://github.com/geopython/pygeoapi/security/advisories/GHSA-jgvc-94c8-3chc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42352"},{"type":"WEB","url":"https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef"},{"type":"PACKAGE","url":"https://github.com/geopython/pygeoapi"},{"type":"WEB","url":"https://github.com/geopython/pygeoapi/releases/tag/0.23.3"},{"type":"PACKAGE","url":"https://pypi.org/project/pygeoapi"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-jgvc-94c8-3chc"}],"affected":[{"package":{"name":"pygeoapi","ecosystem":"PyPI","purl":"pkg:pypi/pygeoapi"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.23.0"},{"fixed":"0.23.3"}]}],"versions":["0.23.0","0.23.1","0.23.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/pygeoapi/PYSEC-2026-2986.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}]}