Pygeoapi Vulnerability Enables Request Forgery

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in pygeoapi, a geospatial data processing and analysis library. The affected software includes versions 0.23.0 to 0.23.3 of the library, which is available on pip. These vulnerabilities are related to Server-Side Request Forgery (SSRF) and Path Traversal. If exploited, these vulnerabilities can lead to unauthorized access to internal services and data exposure. The business risk and impact of these vulnerabilities are significant, as they can compromise the security and integrity of sensitive geospatial data.[emaillocker id="1283"]

• CVE-2026-42352 with a CVSS score of 8.6 – This vulnerability allows an unauthenticated attacker to perform SSRF via OGC API - Processes Subscriber, which can be exploited by sending specially crafted requests to internal HTTP services. An attacker with this capability can access internal resources without authentication.
• CVE-2026-42351 with a CVSS score of 7.5 – This vulnerability is a Path Traversal issue in pygeoapi's STAC FileSystemProvider plugin, which can expose directories without authentication when pygeoapi is deployed without a proxy or web frontend that normalizes URLs with `..` values.

The overall risk and urgency of these vulnerabilities are high, as they can be exploited by an attacker to access sensitive geospatial data and internal services. If left unaddressed, these vulnerabilities can have significant business consequences, including data breaches, unauthorized access, and disruption of critical geospatial operations. It is essential for organizations that rely on pygeoapi to take immediate action to mitigate these vulnerabilities and protect their sensitive data.

RECOMMENDATION:

• We recommend you to update pip/pygeoapi to version 0.23.3.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-jgvc-94c8-3chc
https://github.com/advisories/GHSA-f6pr-83pg-ghh6