GeoServer 2.20.3 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of the 2.20.x series recommended for production systems. This release was made in conjunction with GeoTools 26.3.

Thanks to everyone who contributed, and to Jody Garnett (GeoCat) for making this release.

Security Considerations

This release includes several security enhancements and is a recommended upgrade for production systems.

This release includes two improvements limiting Server-side request forgery (SSRF) opportunities:

We would like to thank GeoCat for addressing these two issues on behalf of Fisheries and Oceans Canada. If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

Improvements and Fixes


  • GEOS-10367 Allow GetTimeSeries to have a maximum times limit separate than WMS max dimensions


  • GEOS-10379 WCS 2.0 requested ScaleSize not being respected when crossing the dateline

  • GEOS-10377 Layers and Layer Groups get default abstract in capabilities document when none set in configuration.

  • GEOS-10373 GetTimeSeries does not work on source data with time ranges

  • GEOS-10362 Username remains in roles.xml after user removal operation

  • GEOS-10316 Regression in 2.20.x: Unable to specify JAVA_OPTS for

  • GEOS-10066 CSS ArrayList class cast exception in layer rendering

  • GEOS-9785 Invalid argument type=null when trying to use gs:Download WPS identifier

  • GEOS-9770 Cascading WMS server sets invalid I and J when using EPSG:3006 on GetFeatureInfo calls

For more information see 2.20.3 release notes.

About GeoServer 2.20

Additional information on GeoServer 2.20 series:

Release notes: ( 2.20.3 | 2.20.2 | 2.20.1 | 2.20.0 | 2.20-RC )