CVE-2026-42352

Description

### Impact OGC API - Process execution requests can use the `subscriber` object to requests to internal HTTP services. ### Patches The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default (unless explicitly defined in configuration by a new `allow_internal_requests` directive. The commit/fix can be found in [3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef](https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef). ### Workarounds Users can update existing applications by disabling process based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.

How to fix CVE-2026-42352

To remediate CVE-2026-42352, upgrade the affected package to a fixed version below.

• —upgrade to 0.23.3 or later

Is CVE-2026-42352 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 0.23.0, < 0.23.3

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-42352
• PATCHgithub.com/geopython/pygeoapi
• WEBgithub.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef
• WEBgithub.com/geopython/pygeoapi/releases/tag/0.23.3