Impact OGC API Process execution requests can use the subscriber object to requests to internal HTTP services. Patches The issue has been patched in master branch and made available as part of the 0.23.3 release. The pa…
| CVE ID | CVE-2026-42352 |
| Vendor | pip |
| Affected Product | pygeoapi |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.6 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
OGC API - Process execution requests can use the subscriber object to requests to internal HTTP services.
The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default (unless explicitly defined in configuration by a new allow_internal_requests directive. The commit/fix can be found in [3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef](https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef).
Users can update existing applications by disabling process based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.