Impact A raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manif…
| CVE ID | CVE-2026-42351 |
| Vendor | pip |
| Affected Product | pygeoapi |
| Vulnerability Type | Vulnerability |
| CVSS Score | 7.5 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
A raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration.
The issue has been patched in master branch and made available as part of the 0.23.3 release. The commit/fix can be found in [bf25b8695edbdd5476eeffc102b633d1d3e45f52](https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52). #
Users can safeguard existing applications by disabling STAC collection based resources in their pygeoapi config
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.