GeoServer 2.26.3 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a maintenance release of GeoServer providing existing installations with minor updates and bug fixes. GeoServer 2.26.3 is made in conjunction with GeoTools 32.3, and GeoWebCache 1.26.3.

Thanks to Jody Garnett and Andrea Aime (GeoSolutions) for making this release.

Security Considerations

This release addresses security vulnerabilities and is considered an critical update for existing installations.

• CVE-2025-30220 XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service (High)

• CVE-2025-30145 Denial-of-service (DoS) Vulnerability in Jiffle process (High)

• CVE-2025-27505 Missing Authorization on REST API Index (Moderate)

The use of the CVE system allows the GeoServer team to reach a wider audience than blog posts. See project security policy for more information on how security vulnerabilities are managed.

Release notes

New Feature:

• GEOS-11797 Add support for Jiffle expressions in coverage view setup
• GEOS-11800 Implement GeoServer WPS SpatioTemporalZonalStatistics process

Improvement:

• GEOS-11757 Optimize ConfigurationPasswordEncryptionHelper to Cache Encrypted Fields by Store Type
• GEOS-11761 Add support for the clip vendor parameter to WCS as well
• GEOS-11766 Speed up CRS and store factory lookups during catalog loading
• GEOS-11793 WPS Read Value from Coverage Position
• GEOS-11804 Disallow usage of var in GeoServer source code

Bug:

• GEOS-10844 Exclude xml-apis from build
• GEOS-11274 Cannot get a JSON legend with an external reference to a non published directory
• GEOS-11620 Smart Data Loader plugin for GeoServer 2.26 produces a Mapping file data source definition and tries to establish a connection pool, but fails
• GEOS-11664 Update REST security paths
• GEOS-11684 GDAL no longer included in Docker image
• GEOS-11689 IOUtilsTest should not ping an external web site
• GEOS-11690 Bug in Externalize printing configuration folder
• GEOS-11696 AdminRequestCallback not loaded due to spring bean name conflict
• GEOS-11700 GeoFence fails in recognizing some caller IP address
• GEOS-11703 HEAD and OPTIONS requests on the REST API return a 403
• GEOS-11707 Ogr2OgrWfsTest test failures with GDAL 3.10.1
• GEOS-11710 Running Jiffle on coverage views causes the NODATA to be lost
• GEOS-11713 Concurrent LDAP builds fail on Jenkins
• GEOS-11716 WFS POST requests fail if a layer is misconfigured
• GEOS-11720 AttributeTypeInfoImpl doesn’t quote names properly
• GEOS-11722 Coverage view reader partially ignores multithreaded loading
• GEOS-11739 Excessive memory usage for WMS KML output format
• GEOS-11747 GeoServer does not throw JAI runtime exceptions
• GEOS-11751 Symbolizer URL in GetLegendGraphic JSON Request is Broken
• GEOS-11755 AbstractCatalogFacade leaves dangling references to temporary Catalog
• GEOS-11756 GeoServerDataDirectory’s default workspace location is wrong
• GEOS-11760 Fix a potential OOM in the KML transformation
• GEOS-11767 Regression: OL preview always uses JPEG format
• GEOS-11769 Race conditions in LayerGroupHelper when the default catalog is not fully initialized
• GEOS-11774 Logout with OAuth plugin will give error if logged in locally
• GEOS-11776 CVE-2025-27505 Moderate
• GEOS-11792 Default Service Capabilities shown on initial start with no workspaces
• GEOS-11795 Incorrect clipping of point geometries in vector tiles
• GEOS-11818 PageUniqueProcess regression after [GEOT-7628]

Task:

• GEOS-11682 Add tests for WMS SLD XML request reader
• GEOS-11701 Update JAI-Ext to 1.1.28
• GEOS-11743 Upgrade Oracle JDBC driver (ojdbc) from 8 to 11
• GEOS-11763 Update jai-ext to latest version (1.1.30)
• GEOS-11770 Update to jai-ext 1.1.31
• GEOS-11771 Update to Imageio-EXT 1.4.15
• GEOS-11791 Postpone controller logging after data validation

For the complete list see 2.26.3 release notes.

Community Updates

Community module development:

• GEOS-11694 OpenID connect: allow caching authentication when an expiration is declared in the access token
• GEOS-11711 Clickhouse DGGS stores fails to aggregate on dates
• GEOS-11715 STAC sortby won’t work with “properties.” prefixed names
• GEOS-11723 DGGS data store should be able to translate also intersection with multipolygon
• GEOS-11725 Environment parameters resolving is not working on Smart data loader
• GEOS-11738 Prevent error when oidc provider sends empty “&state=”
• GEOS-11741 Enhancing Smart Data Loader with Override Rules
• GEOS-11762 Feature Templates by feature type can not be listed via GeoServer Rest API
• GEOS-11783 Longitudinal profile process should allow for input chaining
• GEOS-11784 The longitudinal profile process should limit the number of points it can extract
• GEOS-11785 The longitudinal profile process should respect cancellation
• GEOS-11786 Longitudinal profile process: general performance improvements
• GEOS-11811 Features templating editor is unable to update and save the template body

Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you, please contact the module developer to offer assistance.

About GeoServer 2.26 Series

Additional information on GeoServer 2.26 series:

• GeoServer 2.26 User Manual
• GeoServer 2024 Q3 Developer Update
• Raster Attribute Table extension
• Community module graduation, amending generality rule
• Individual contributor clarification
• Migrate geoserver-users from SourceForge to discourse

Release notes: ( 2.26.3 | 2.26.2 | 2.26.1 | 2.26.0 | 2.26-M0 )

GeoServer 2.25.7 release is now available with downloads (bin, war, windows), along with docs and extensions.

This series has previously reached end-of-life, with this release issued to address an urgent bug or security vulnerability. Please apply this update as a mitigation measure only, and plan to upgrade to a stable or maintenance release of GeoServer. GeoServer 2.25.7 is made in conjunction with GeoTools 31.7.

Thanks to Jody Garnett and Andrea Aime (GeoSolutions) for making this release.

Security Considerations

This release addresses security vulnerabilities and is considered an critical update.

• CVE-2025-30220 XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service (High)

• CVE-2025-30145 Denial-of-service (DoS) Vulnerability in Jiffle process (High)

The use of the CVE system allows the GeoServer team to reach a wider audience than blog posts. See project security policy for more information on how security vulnerabilities are managed.

Release notes

Improvement:

Bug:

• GEOS-11774 Logout with OAuth plugin will give error if logged in locally

Task:

• GEOS-11770 Update to jai-ext 1.1.31

For the complete list see 2.25.7 release notes.

Community Updates

Community module development:

• GEOS-11762 Feature Templates by feature type can not be listed via GeoServer Rest API
• GEOS-11783 Longitudinal profile process should allow for input chaining
• GEOS-11784 The longitudinal profile process should limit the number of points it can extract
• GEOS-11785 The longitudinal profile process should respect cancellation
• GEOS-11786 Longitudinal profile process: general performance improvements
• GEOS-11811 Features templating editor is unable to update and save the template body

Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you, please contact the module developer to offer assistance.

About GeoServer 2.25 Series

Additional information on GeoServer 2.25 series:

• GeoServer 2.25 User Manual
• GeoServer 2024 Roadmap Plannings
• Raster Attribute Table extension
• Individual contributor clarification

Release notes: ( 2.25.7 | 2.25.6 | 2.25.5 | 2.25.4 | 2.25.3 | 2.25.2 | 2.25.1 | 2.25.0 | 2.25-RC )

The GeoServer team is charging ahead with our 2025 roadmap plans.

Thanks to 2025 Sponsors:

CITE Certification

A great deal of progress has been made on CITE Certification with the most recent GeoServer 2.27.0 Release passing tests! This is great for interoperability and project stability as the CITE tests act as an external “blackbox” testing framework and this verifies that GeoServer is operating as intended.

We are presently determining how to pay for certification:

• The Open Source Geospatial Foundation has negotiated a reduced rate of $150 annual cost per standard certified.
• We are prioritizing tests where we can act as a “reference implementation” resulting in no annual cost for OSGeo.
• For Web Feature Service we pass tests for WFS 2.0, WFS 1.1, and WFS 1.0 which would add up to $450. It may be worthwhile only being certified for the latest WFS 2.0 to reduce the costs to $150.
• There are also now CITE tests for output formats. This would allow the WFS and WPS output to be certified on individual formats like GeoPackage and GeoTIFF.

While GeoServer presently “implements” these standards, our sponsorship level is not sufficient to allow us to feel comfortable paying annual costs for “certification”.

Full certification amounts to $900 a year, while certifying only the latest services amounts to $450 a year.

How you can help: We would really like confirmation that certification is valuable to the community. If you think it is valuable, please let us know in the Discourse forum or, even better, if you are interested in sponsoring part of the certification, please do speak up! If we do not hear from anyone, we might not pursue formal certification any further.

Many thanks to prior sponsors of this activity including Gaia3D, and OSGeo:UK.

GeoServer 3

The big news is that GeoServer 3 crowdfunding campaign phase one has been successful, allowing the project plan milestones to be scheduled.

We are working around the GeoServer release schedule to avoid disruption to the project:

• Milestone 1 : Preparation (May-September)
  Doing everything possible ahead of time before the migration to spring-framework-6.

  Milestone 1 is already in progress, see the headings below for specific activities.

  Milestone 1 activities will be taking place on the main branch ahead of the GeoServer 2.28 release. As tasks are completed, your feedback and continuous testing of nightly builds will be highly appreciated. Please chat to us about how you can automate the testing in your non-production environments.

• Milestone 2 : Migration (October-December)
  Requires a coordinated “code-freeze” across nine codebases migrating to spring-framework-6.

  This activity is going to take careful planning, and we anticipate scheduling an in-person sprint for the migration.

  While initial work may occur on a dev branch, GeoServer 3 will take over the main branch after the September release of GeoServer 2.28.0.

• Milestone 3: Delivery (January-March)
  The moment we have the code-base working again, Milestone 3 activities include continuing the testing of nightly builds, checking integration with downstream applications, and feedback from anyone wishing to work on restoring a community module to GeoServer 3.

  This pace allows GeoServer 3.0 to be ready in 2026 Q1, respecting our normal time-boxed release cycle.

Milestone 1

Checking in on Milestone 1 activities, there is lots of work to be done!

Spring Framework Preparation, Java 17, and Project and Build Support

To get the codebase ready for widespread change, Gabriel will be looking at setting up a GeoTools “bill of materials” pom.xml file providing GeoServer and other applications an easy way to manage the currently tested set of dependencies.

• Updating to Java 17 is a key requirement for Spring Framework 6 and JakartaEE so expect many of these dependencies to be updated or replaced over the course of GeoServer 2.28 development.
• Spring Framework 6 also removes a lot of deprecated APIs and dependencies, providing work to do for GeoWebCache and GeoServer codebases

ImageN and JAI-Ext Online Sprint (May 26-27)

The biggest GeoServer 3 Milestone 1 activity is restarting the ImageN project and combining forces with JAI-Ext for a new image processing engine:

• ImageN represents the Oracle donation of the original Java Advanced Imaging codebase to the Eclipse Foundation (using a new name that does not contain “Java”).
• The ImageN project is being restarted, with Andrea and Daniele being recently added to the project.
• Project website has been updated with a slightly revised scope to reflect the addition of the JAI-Ext codebase.
• We will be cutting some unused functionality, such as RMI, and restructuring the maven build to reflect some of the lessons learned with JAI-Ext and GeoTools build practices.
• Andrea has a rough project plan which we will capture as a project board in the weeks ahead.
• Communication is taking place over on the imagen-dev mailing list.

Andrea and Jody are organizing an ImageN Online Sprint for May 26-27 where the bulk of the work will take place. We plan to follow the same approach as the OpenGIS Harmonization activity where refactor scripts are produced, and tested on the GeoTools / GeoWebCache / GeoServer codebases during development.

Spring Security and OAuth2 / OIDC Security Modules

The next technical challenge is the work needed to update to the next version (6) of the Spring Security Framework. There have been considerable API changes, resulting in the need to completely replace the existing OAuth2 and OIDC community modules. Our existing community modules are based on the deprecated spring-security-oauth library which has now reached end of life. The Spring Security Core library now has OAuth2 support, necessitating a new GeoServer extension that makes direct use of the built-in OAuth2 support.

Andreas Watermeyer (ITS Digital Solutions) has working on these activities:

• GeoServer 2.27.0 includes the upgrade to Spring Security 5.8, and there is a checklist to complete before upgrading further to version 6.
• Andreas has a draft pull request re-implementing the OAuth2 security modules, which we are looking forward to incorporating, and we plan to port all the test cases over to ensure that it covers the same functionality.

Ideally GeoServer 2.28.0 will include both the old and the new Spring Security OAuth2 community modules, allowing everyone to upgrade easily and report back any regressions found.

Wicket

A big accomplishment in the recent GeoServer 2.27.0 Release is progress towards Wicket 10 by Brad and David:

• Wicket 9
• Wicket Dialog
• Wicket Content Security Policy

There are a few remaining items to work on, such as the Java 17 build, before upgrading to Wicket 10.

It is great that we have already tackled many of the technical challenges above, and have received positive responses from GeoServer 2.27.0 testers.

Crowdfunding

GeoServer 3 crowdfunding has completed the Commitment Phase - thank you for your trust and support. We are now contacting supporters to engage with them further.

GeoServer 3 is supported by the following organisation:

Individual donations: Abhijit Gujar, Hennessy Becerra, Ivana Ivanova, John Bryant, Jason Horning, Peter Smythe, Sajjadul Islam, Sebastiano Meier, Stefan Overkamp.

The GeoServer 3 crowdfunding campaign is now entering its final phase. After months of effort and strong engagement from the geospatial community, we are approaching our collective goal. The campaign has reached over 90% of its target, with only €40,000 remaining. Several organizations are currently engaged in discussions, and we remain confident that we will successfully complete the campaign.

📅 We will officially close the campaign on Monday, April 21, 2025.
This is the final window of opportunity for organizations that wish to contribute and ensure GeoServer’s continued innovation and reliability.

Why this upgrade is critical

GeoServer 3 is more than just a version number—it is a significant technical shift that will modernize the platform’s foundations and secure its future. This includes:

• Migration to Spring 6 and JDK 17: Required to maintain compatibility with modern Java ecosystems, ensure long-term support, and adopt secure, future-proof components.
• End of support for Spring 5: From January 2025, no more security updates will be provided, making the upgrade essential for compliance and operational security.
• OAuth2 support and improved security architecture: Crucial for enterprise-grade authentication and integration with modern infrastructure.
• Switch from JAI to ImageN: A much-needed replacement for image processing, improving speed, maintainability, and compatibility.
• Alignment with current deployment environments: Including Tomcat 10 and Jakarta EE, ensuring compatibility with containerized and cloud-native environments.

You can learn more about the technical transition already underway in this behind-the-scenes update.

What happens if we exceed the goal?

If the total contributions exceed the financial target, the additional workforce funded through this campaign will be redirected to tasks identified and prioritized by the GeoServer Project Steering Committee (PSC). This ensures the extra support directly benefits the project’s long-term roadmap and the broader user community.

Acknowledgements and next steps

We extend our sincere thanks to all who have supported this campaign so far—through funding, code contributions, testing, and outreach. The effort has already mobilized an international team of core contributors who are ready to move forward.

We now invite all remaining stakeholders to join before the deadline. If your organization uses GeoServer and values its open, sustainable evolution, this is your moment to act.

🔗 To pledge or contact the coordination team, please visit:
https://geoserver.org/sponsor/gs3-crowdfunding

Let’s complete this journey—together.

GeoServer 3 is supported by the following organisation:

Individual donations: Abhijit Gujar, Hennessy Becerra, Ivana Ivanova, John Bryant, Jason Horning, Peter Smythe, Sajjadul Islam, Sebastiano Meier, Stefan Overkamp.

GeoSpatial Techno is a startup focused on geospatial information that is providing e-learning courses to enhance the knowledge of geospatial information users, students, and other startups. The main approach of this startup is providing quality, valid specialized training in the field of geospatial information.

( YouTube | LinkedIn | Facebook | X )

Mastering WFS Transactions in GeoServer: A Comprehensive Guide

In this session, we’ll explore WFS transactions available in GeoServer. If you want to access the complete tutorial, click on the link.

Introduction

The Web Feature Service (WFS) transactions in GeoServer, enable users the ability to manipulate geographic data for serving and editing geospatial information over the web. This feature allows for direct editing of spatial features within a dataset through a web browser or application, without needing to download and edit the data locally.

WFS transactions in GeoServer allow users to dynamically edit spatial data by sending XML requests to insert, update, or delete features. This real-time editing is crucial for applications like online maps and collaborative planning systems. It improves efficiency, data accuracy, and supports real-time collaboration.

Note. This video was recorded on GeoServer 2.22.4, which is not the most up-to-date version. Currently, versions 2.25.x and 2.26.x are supported. To ensure you have the latest release, please visit this link and avoid using older versions of GeoServer.

Note. In all examples in this blog post, we utilize the topp:tasmania_roads layer.

WFS Insert Feature

The Insert Feature operation, when used with GeoServer’s WFS transaction feature, allows users to append new features to an existing dataset. This ensures the new feature is securely added to the layer, preventing data duplication and errors.

Note. Backup your data and configuration before making any changes to avoid potential data loss or unexpected behavior.

Here is an example of how to use the WFS insert feature in GeoServer:

• Navigate to the Demos page, then click on the Demo requests link.
• From the Request drop-down list, select WFS_transactionInsert.xml.

• Enter the new coordinates and road’s type as follows:

  <wfs:Insert>
    <topp:tasmania_roads>
      <topp:the_geom>
        <gml:MultiLineString srsName="http://www.opengis.net/gml/srs/epsg.xml#4326">
          <gml:lineStringMember>
            <gml:LineString>
              <gml:coordinates decimal="." cs="," ts=" ">
                145.2,-42.5 145.2,-43.3 145.8,-43.3
              </gml:coordinates>
            </gml:LineString>
          </gml:lineStringMember>
        </gml:MultiLineString>
      </topp:the_geom>
      <topp:TYPE>street</topp:TYPE>
    </topp:tasmania_roads>
  </wfs:Insert>
  

• Remember that using the WFS transaction in GeoServer requires appropriate permissions and access rights to ensure that only authorized users can modify the data. Enter the username and password to be authorized, and then press the Submit button.
• GeoServer processes the transaction request. If successful, it adds the new feature to the road layer; if unsuccessful, a relevant error information is displayed and no changes are made to the data.
• Navigate to the Layer Preview section and open up the OpenLayers preview for the tasmania_roads layer. Your map should now look like this:

You have successfully used the insert feature with WFS transaction in GeoServer to add a new street to your dataset.

WFS Update Feature

The Update feature of the WFS transaction in GeoServer enables users to modify existing features within a geospatial dataset. By submitting a request that specifies both the feature type and the desired changes to attributes and geometry, users can efficiently update specific attributes while altering the shape, location, and size of various features.

Here are the steps to perform an update feature with WFS transaction in GeoServer:

• Select WFS_transactionUpdateGeom.xml from the Request drop-down list, then edit the codes as follows:

  <wfs:Update typeName="topp:tasmania_roads">
    <wfs:Property>
      <wfs:Name>the_geom</wfs:Name>
      <wfs:Value>
        <gml:MultiLineString srsName="http://www.opengis.net/gml/srs/epsg.xml#4326">
          <gml:lineStringMember>
            <gml:LineString>
              <gml:coordinates>145.55,-42.7 145.04,-43.04 145.8,-43.4</gml:coordinates>
            </gml:LineString>
          </gml:lineStringMember>
        </gml:MultiLineString>
      </wfs:Value>
    </wfs:Property>
    <ogc:Filter>
      <ogc:FeatureId fid="tasmania_roads.15"/>
    </ogc:Filter>
  </wfs:Update>
  

• Enter the username and password to be authorized, and then press the Submit button.
• After the GeoServer has processed the transaction request, go back to the Layer Preview section and open up the OpenLayers preview for the tasmania_roads layer. Your map should now look like this:

WFS Delete Feature

This operation allows users to selectively remove specific features from a dataset by providing their unique identifiers. The process of deleting features can be seamlessly executed through the WFS transaction capabilities in GeoServer.

This functionality gives users more control over their geospatial database, helping them manage and manipulate data efficiently. As an example, let’s remove the features whose type attribute is equal to road. To do this, follow the steps displayed on the screen:

• Select WFS_transactionDelete.xml from the Request drop-down list, then edit the codes as follows:

  <wfs:Delete typeName="topp:tasmania_roads">
    <ogc:Filter>
      <ogc:PropertyIsEqualTo>
        <ogc:PropertyName>topp:TYPE</ogc:PropertyName>
        <ogc:Literal>road</ogc:Literal>
      </ogc:PropertyIsEqualTo>
    </ogc:Filter>
  </wfs:Delete>
  

• Enter the username and password to be authorized, and then press the Submit button.
• After the GeoServer has processed the transaction request, preview for the tasmania_roads layer. As you can see, the features of type Road have been deleted.

Remember that you can define filter conditions to remove the specific features using the WFS Delete transaction. This can include feature IDs, attributes, spatial extent or other criteria.

• Again, select WFS_transactionDelete.xml from the Request drop-down list, then edit the codes as follows:

  <wfs:Delete typeName="topp:tasmania_roads">
    <ogc:Filter>
      <ogc:FeatureId fid="tasmania_roads.15"/>
    </ogc:Filter>
  </wfs:Delete>
  

• Enter the username and password to be authorized, and then press the Submit button.
• After the GeoServer has processed the transaction request, open the OpenLayers preview for the tasmania_roads layer from the Layer Preview section. As you can see, the fid 15 has been deleted.

In this session, we took a brief journey to explore WFS Transaction to insert update and remove features in GeoServer. If you want to access the complete tutorial, click on the link.