pygeoapi RCE: OGC API Vulnerability Exposes Internal Services

/HIGH /CVSS 8.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-918
pygeoapi RCE: OGC API Vulnerability Exposes Internal Services

The National Vulnerability Database has detailed CVE-2026-42352, a high-severity vulnerability affecting pygeoapi versions 0.23.0 through 0.23.2. This flaw, categorized as CWE-918 (Server-Side Request Forgery - SSRF), allows OGC API process execution requests to leverage the subscriber object for making requests to internal HTTP services. This essentially means an attacker can force the pygeoapi server to connect to arbitrary internal network resources.

This isn’t just a theoretical issue. An SSRF vulnerability like this provides a crucial pivot point. Attackers can map internal networks, scan for open ports, and potentially interact with sensitive internal services that are not exposed to the internet. Think about internal APIs, databases, or management interfaces – all suddenly within reach. The CVSS score of 8.6 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N underscores the critical nature, highlighting network accessibility, low attack complexity, and high confidentiality impact.

The good news is that a patch is available. pygeoapi version 0.23.3 addresses this vulnerability. For any organization running pygeoapi, immediate upgrade is the only sensible course of action. Failing to patch leaves a wide-open door for internal reconnaissance and potential lateral movement.

What This Means For You

  • If your organization uses pygeoapi, you need to check your version immediately. Any deployment running versions 0.23.0 through 0.23.2 is vulnerable to CVE-2026-42352. Prioritize upgrading to version 0.23.3 or newer to close this critical SSRF vector and prevent internal network exposure.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1071.001 Web Protocols Command and Control

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-42352 - pygeoapi OGC API Process Internal Service Access

Sigma YAML — free preview 
title: CVE-2026-42352 - pygeoapi OGC API Process Internal Service Access
id: scw-2026-05-08-ai-1
status: experimental
level: high
description: |
  Detects exploitation attempts against pygeoapi versions prior to 0.23.3 by looking for OGC API process requests that include the 'subscriber=' parameter in the query string, which can be abused to request internal HTTP services. This is a direct indicator of the CVE-2026-42352 vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42352/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/ogc/processes/'
      cs-uri-query|contains:
          - 'subscriber='
      cs-method|exact:
          - 'POST'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42352 SSRF pygeoapi versions 0.23.0 to before 0.23.3
CVE-2026-42352 SSRF OGC API process execution requests using the subscriber object

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 09, 2026 at 02:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma