GeoNetwork, Authorization Bypass, CVE-2026-46487 (High) -DC-Jul2026-780

Listen to this Post

How CVE-2026-46487 Works

GeoNetwork’s Elasticsearch-backed search API is designed to inject access-control and visibility filters into every incoming search request before it is forwarded to the underlying Elasticsearch index. This filtering layer is critical for enforcing group-based record visibility, draft record exclusion, record ownership checks, and portal-specific filtering.
The search proxy layer acts as an intermediary: it receives client-supplied search requests, adds GeoNetwork’s own access-control and filter clauses, and then forwards the augmented request to Elasticsearch. A flaw exists in how this filter-injection step is triggered. Under certain request conditions, the injection logic determines that filters do not need to be applied, causing the request to be forwarded to Elasticsearch without the intended access restrictions.
This flaw can be triggered by crafting specific search requests that cause the filter-injection routine to skip its enforcement logic. Because the filtering step is bypassed, Elasticsearch processes the query as if no access controls exist, returning metadata records that should have been hidden from unauthenticated users. The vulnerability affects all public-facing GeoNetwork 4.x instances from version 4.0.0-alpha.1 through 4.4.10. No authentication is required to exploit this issue, making it remotely exploitable by any unauthenticated attacker.
The root cause is a missing authorization check (CWE-862) in the request pipeline. The filter-injection step is responsible for enforcing multiple layers of access control simultaneously, and when it is skipped, all those layers are bypassed in a single request. This allows an attacker to retrieve the full contents of metadata records that should not be publicly visible, including records restricted to specific groups, draft records, and records with ownership-based restrictions.

DailyCVE Form

| Field | Value |

|-|-|

| Platform | GeoNetwork opensource |

| Version | 4.0.0-alpha.1 through 4.4.10 |

| Vulnerability | Authorization Bypass / Information Disclosure |

| Severity | High (CVSS 7.5) |

| Date | July 1, 2026 |

| Prediction | Patch expected July 1, 2026 (4.4.11 / 4.2.16) |

What Undercode Say

Undercode Analytics provides the following technical insights and verification commands:

Check GeoNetwork Version:

curl -s http://target-geonetwork:8080/geonetwork/ | grep -i "version"

Test for Filter Bypass (Unauthenticated):

curl -X GET "http://target-geonetwork:8080/geonetwork/srv/api/search/records?_content_type=json&limit=100" -H "Accept: application/json"

Verify Restricted Record Exposure:

curl -X GET "http://target-geonetwork:8080/geonetwork/srv/api/records/{record-id}" -H "Accept: application/json"

Check Elasticsearch Index Directly (if accessible):

curl -X GET "http://elasticsearch:9200/geonetwork/_search?q=:&size=100" -H "Content-Type: application/json"

Monitor for Anomalous Search Queries:

tail -f /var/log/geonetwork/geonetwork.log | grep -E "SEARCH|QUERY|UNAUTH"

Apply Patch (Maven):

mvn versions:set -DnewVersion=4.4.11
mvn clean install

Exploit

An unauthenticated attacker can exploit this vulnerability by sending crafted search requests to the GeoNetwork search API that cause the filter-injection step to be skipped. The attack requires no prior authentication and can be performed remotely over the network. By manipulating request parameters or the request structure, the attacker can force the search proxy to forward the query to Elasticsearch without the intended access-control filters. This results in Elasticsearch returning metadata records that should have been restricted, including group-limited records, draft records, and records with ownership-based visibility rules. The attacker can retrieve the full contents of these records, leading to unauthorized information disclosure.

Protection

  • Upgrade to GeoNetwork version 4.4.11 or 4.2.16, which contain the fix for this vulnerability.
  • Apply the official patch from the GeoNetwork security advisory as soon as possible.
  • Restrict network access to the GeoNetwork search API to trusted IP ranges only, as a temporary workaround.
  • Monitor logs for unusual search queries or unauthorized access attempts targeting the search endpoints.
  • Review and harden Elasticsearch security settings to ensure that even if filters are bypassed, the index itself is not directly accessible from untrusted networks.

Impact

Successful exploitation allows an unauthenticated attacker to bypass GeoNetwork’s access-control and visibility filters, retrieving metadata records that should not be publicly visible. This includes records restricted to specific groups, draft records, records with ownership-based restrictions, and records subject to portal-specific filtering. The vulnerability leads to unauthorized information disclosure (CWE-862) and affects all public-facing GeoNetwork 4.x instances from 4.0.0-alpha.1 through 4.4.10. Given the remote, unauthenticated nature of the attack and the potential exposure of sensitive metadata, this vulnerability is rated High severity with a CVSS score of 7.5.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top